Intrusion Detection Systems CS391

Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion prevention.

Overview  Intrusion detection is a reactive concept that tries to identify a hacker when they attempt a penetration.  Intrusion detection can also assist in the proactive identification of active threats. It provides indications and warnings that a threat is gathering information for an attack.

Overview  Night watchmen and guard dogs are forms of IDS.  They serve two purposes. They provide a means of identifying that something bad was happening, while deterring the perpetrator.

What is an IDS?  Intrusion detection is the art of detecting and responding to computer misuse.  An Intrusion Detection System is a hardware/software tool used to detect unauthorized access to a computer system or network.

IDS Structure  An IDS is composed of several components: Sensors which capture events and store them as audit data, Sensors which capture events and store them as audit data, an engine that generates alarm signals from the audit data captured, an engine that generates alarm signals from the audit data captured, and a Site Security Officer(SSO) who receives the alarms and responds accordingly. and a Site Security Officer(SSO) who receives the alarms and responds accordingly.

Some Terminology  Intrusion: Unauthorized access to an information system. It generally from outside the organization  Intrusion Detection: Detecting unauthorized access to a computer network  False positive: An alarm that is not misuse. False positives consume time and resources.  False negative: Misuse not detected or alarmed

Activities and Data  Audit collection: Audit data are used to make intrusion detection decisions. These data may be collected in many ways, but usually network activity and/ or host-based logs are used as sources of audit data.  Audit storage: Audit data collected must be stored somewhere. The volume of data is often exceedingly large.

Activities and Data  Processing: This forms the heart of the IDs. It is here where algorithms are executed to find suspicious behavior in the system.  Configuration data: These Specify how and where to collect the audit data, how to respond to intrusions, etc. This is the main way by which the SSO can control the IDS’s behavior. This data is quite sensitive, since if the intruder can gain access to it, he might be able to device attacks that go undetected.

Activities and Data  Reference data: These data have information about known intrusion signatures and/or normal behavior profiles.  Active/Processing Data: These are the intermediate results stored by the intrusion detection system. The space needed to store these data may grow very large.  Alarm: It is the signal produced on detecting a potential intrusion. This alarm may be just a signal to the SSO about the intrusion, or may be an automated response to the intrusion

Define the types of Intrusion Detection Systems There are two primary types of IDS: Host-based Host-based Network-based Network-based

Host-Based IDS  A Host-based Intrusion Detection System (HIDS) resides on a particular host and looks out for indications of attacks on that host.  HIDS is a system of sensors that are loaded onto various servers within an organization. They are controlled by some central manager.

Host-Based IDS  The sensors can: Look for various types of events. Look for various types of events. Take action on the particular server. Take action on the particular server. Send out a notification. Send out a notification.

Host-based IDS There are five basic types of HIDS sensors: Log analyzers Log analyzers Signature-based sensors Signature-based sensors System call analyzers System call analyzers Application behavior analyzers Application behavior analyzers File integrity checkers File integrity checkers

Host-based IDS  Log analyzers are reactive in nature and look for events that may be a security breach.  They are particularly adapted to track authorized users.  Signature-based sensors compare incoming traffic to a built-in signature.  They are also reactive in nature and may be used to track authorized users.

Host-based IDS  System call analyzers sit between the OS and the applications to analyze calls being sent. It compares the calls to a database of signatures.  Application behavior analyzers sit between the OS and the applications and examine calls to check for authorization.  File integrity checkers look for changes in the file, typically through checksums or digital signatures.

Network-based IDS  A NIDS resides on a separate system that watches network traffic, looking for indications of attacks that traverse the network.  A NIDS places the Network Interface Card (NIC) on the system into promiscuous mode to pass traffic to the NIDS software for analysis.  NIDS are primarily signature-based.

Promiscuous Mode  promiscuous mode is a mode of operation in which every data packet transmitted can be received and read by a network adapter.  Promiscuous mode must be supported by each network adapter as well as by the input/output driver in the host operating system.  Promiscuous mode is often used to monitor network activity

Network-based IDS  NIDS systems have two NICs: one is configured in stealth mode to monitor the network and the second is used to send alarms.  The advantages of using a NIDS are the following: It can be hidden on the network. It can be hidden on the network. It can capture the contents of all packets traveling to a target system. It can capture the contents of all packets traveling to a target system. It monitors traffic for a large number of systems. It monitors traffic for a large number of systems.

Network-based IDS The disadvantages of using a NIDS are as follows: It will only alarm if traffic matches preconfigured rule. It will only alarm if traffic matches preconfigured rule. It can miss traffic of interest because of high bandwidth usage. It can miss traffic of interest because of high bandwidth usage. It cannot determine if an attack was successful. It cannot determine if an attack was successful. It cannot examine encrypted traffic. It cannot examine encrypted traffic. Switched networks require special configuration. Switched networks require special configuration.

Set up an IDS  The effective use of an IDS must include the proper planning and involvement of executive management.  The steps for creating IDS implementation are: Define the goals of the IDS. Define the goals of the IDS. Choose what to monitor. Choose what to monitor. Choose the response. Choose the response. Set thresholds. Set thresholds. Implement the policy. Implement the policy.

Defining the Goals of the IDS The goals of the IDS provide the requirements for the IDS policy. Potential goals include the following: Detection of attacks. Detection of attacks. Prevention of attacks. Prevention of attacks. Detection of policy violations. Detection of policy violations. Enforcement of use policies. Enforcement of use policies. Enforcement of connection policies. Enforcement of connection policies. Collection of evidence. Collection of evidence.

Choosing What to Monitor  The choice of what an IDS should monitor is governed by the goals of the IDS and the environment in which the IDS will function.  The choice of what an IDS should monitor, governs the placement of sensors, as they must be able to see the events of interest.

Choosing What to Monitor  For a network using switches, a NIDS sensor will not function properly if it is just connected to a switch port.  Instead, you should see how to direct traffic to the IDS.

Choosing How to Respond  Response choices are governed by the goals of the IDS.  When an event occurs, there are two types of responses: Passive response: a response that does not directly impede the attacker’s actions. Passive response: a response that does not directly impede the attacker’s actions. Active response: a response that does directly attempt to impede that attacker’s actions. Active response: a response that does directly attempt to impede that attacker’s actions.

Passive Response  A passive response is the most common type of action when an intrusion is detected.  Passive responses have a lower probability of causing disruptions to legitimate traffic while being the easiest to implement in a completely automated fashion.

Passive Response Passive responses include: Shunning: ignoring the attack. Shunning: ignoring the attack. Logging: gathering basic information. Logging: gathering basic information. Additional logging: collecting more information about the event than is normally captured. Additional logging: collecting more information about the event than is normally captured. Notification: informing an individual about the event. Notification: informing an individual about the event.

Active Response  Active responses include: Termination of connections, sessions, or processes Termination of connections, sessions, or processes Network reconfiguration Network reconfiguration Deception Deception  An active response to an event allows the quickest possible action to reduce the impact of the event.

Active Response  It can also cause disruption or complete denial of service to legitimate users.  Network reconfiguration may stop the intruder, but can have a negative impact on partners and customers, causing loss of productivity.

Setting Thresholds  Thresholds provide protection against false positive indications.  They enhance the overall effectiveness of an IDS policy.  They can be used to filter out accidental events from intentional events.  Thresholds that detect attacks should be set to ignore low-level probes or single information-gathering events.

Setting Thresholds Parameters that must be considered in setting thresholds are: User expertise User expertise Network speed Network speed Expected network connections Expected network connections Administrator/security officer workload Administrator/security officer workload Sensor sensitivity Sensor sensitivity Security program effectiveness Security program effectiveness

Implementing the System  The actual implementation of the IDS policy must be carefully planned.  There are few easier ways to disrupt a well-managed network than to introduce a badly configured IDS.

Implementing the System  Once the IDS policy has been developed and the initial threshold settings calculated, it should be put into place with the final policy.  The IDS should be monitored closely for some period of time while the thresholds are evaluated.

Manage an IDS To make a decision for an organization to implement an IDS, the organization should understand the goals of the program. They are: Understand what an IDS can tell. Understand what an IDS can tell. Investigate suspicious events. Investigate suspicious events.

Understand What an IDS Can Tell You There are two components to an IDS configuration: The attack signatures that have been programmed into the system. The attack signatures that have been programmed into the system. Any additional events that the administrator has identified as being of interest. Any additional events that the administrator has identified as being of interest.

Understand What an IDS Can Tell You When the IDS has been properly configured, the four types of events that the IDS will show are: Reconnaissance events Reconnaissance events Attacks Attacks Policy violations Policy violations Suspicious or unexplained events Suspicious or unexplained events

Investigate Suspicious Events When a suspicious activity occurs, any of these four steps can be taken to determine if the activity constitutes an actual or attempted intrusion: Identify the systems. Identify the systems. Log additional traffic between the source and destination. Log additional traffic between the source and destination. Log all traffic from the source. Log all traffic from the source. Log the contents of packets from the source. Log the contents of packets from the source.

Understand Intrusion Prevention  Intrusion prevention involves a proactive rather than reactive approach to IDS.  To prevent an intrusion, the attack must be stopped before it reaches the target system.  To prevent an intrusion, the actual attack must be either stopped before it reaches the target system or stopped before the target system can execute the code that exploits the vulnerability.

Understand Intrusion Prevention  HIDS sensors such as system call analyzers and application behavior analyzers have the potential to prevent an attack.  For a NIDS to prevent attacks, the standard configuration must be changed to place the NIDS in line with the traffic.  IDS that are proactive can raise the potential for denial of service and cause overall availability issues.

signatures  A signature is a rule that examines a packet or series of packets for certain contents, such as matches with packet headers and packet payloads.  Two types: context : header  content: payload  Atomic or composite

Categories of signatures  Informational:  Reconnaissance:  Access.  Dos

Summary  Intrusion detection is a reactive concept that tries to identify a hacker when a penetration is attempted.  A HIDS resides on a particular host and looks for indications of attacks on that host.  A NIDS resides on a separate system that watches network traffic and looks for indications of attacks that traverse the network.

Summary  The effective use of an IDS must include the proper planning and involvement of executive management.  Passive responses have a lower probability of causing disruptions to legitimate traffic while being the easiest to implement in a completely automated fashion.

Summary  An active response to an event allows the quickest possible action to reduce the impact of the event.  To prevent an intrusion, the attack must be stopped before it reaches the target system.