Intrusion Detection Karthikeyan Mahadevan

Intrusion Detection What is Intrusion? Simply put, an intrusion is someone attempting to break into or misuse your system What is an ID? An intrusion detection system, or IDS for short, makes an attempt to find out these illegal exploits made on the system

Types of IDS Host Based ID Network Based ID Layered Defense Knowledge Based ID Behavior Based ID

Host Based ID It involves loading piece/pieces of software on a system to be monitored i.e. the data source is the host. Detected by: An audit file produced by the software Enables administrator to be informed of any attack that the system may have suffered...

Network Based Id These type of systems monitor the traffic on a particular network segment. Detection is based on this network info. It can be effectively seen as a packet monitoring system. In lay-man terms, it is similar to a sensor monitoring the packets. Sensor considers a packet as a potential threat iff its signature is pre-classified. The primary signatures of interest in Network Based Ids are string signatures, port signatures, and header condition signatures.

Signatures String Signatures : Packet has a text string that indicates a possible attack. e.g “cat”++” > /.rhosts Port Signatures: monitor the well known and/or frequently attacked ports. e.g telnet (TCP 23), FTP (TCP 20/21) etc. Header signatures: Look for dangerous or/and illogical combinations in packet header e.g A TCP packet with SYN and FIN flag set

Layered Defense Multiple “Layers” of security is employed Most popular misconception: A Firewall can thwart intrusions. But… it could protect only a part of the system. So? - A security model is needed. Following are the layers: –Security policy of your organization –Host system security –Auditing –Router security –Firewalls –Intrusion detection systems –Incident response plan

Knowledge Based ID Apply the knowledge accumulated about specific attacks and system vulnerabilities. ID has prior knowledge about what these attacks look like. Completeness and competency of such a system depends on the knowledge base.

Behavior Based ID Underlying assumption: Intrusion can be detected based on a deviation from normal or expected behavior. Again, success of such a system depends on the definition of “normal” or “expected”. The data pertaining to what constitutes normal behavior is gathered.

Computer Security Breaches- Statistics Denial of service attacks - 32%. Sabotage of data or networks - 19%. Financial fraud - 14%. Insider abuse of Internet access privileges (for example, downloading pornography or pirated software or engaging in inappropriate use of systems) - 97%. –This increase indicates that the danger of entanglement in civil liability suits is also on the rise. Virus contamination - 90%. Laptop theft - 69%.

Types of Attacks I Denial of Services (DoS) : On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have DDoS: On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users

Types of Attacks II Buffer Overflow: Occurs when a program or process tries to store more data in a buffer than it was intended to hold. Buffers are defined to hold limited data. If the limit is exceeded, data can overflow into adjacent buffers, thereby corrupting or overwriting valid data held in them. Could be unintentional through programming error. Buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer

Sample Code - Buffer Over Flow char shellcode[] = Architecture Dependent Shell Code char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer,large_string); }

Why is the previous code dangerous?? What we have done above is filled the array large_string[] with the address of buffer[], which is where our code will be. Then we copy our shellcode into the beginning of the large_string string. strcpy() will then copy large_string onto buffer without doing any bounds checking, and will overflow the return address, overwriting it with the address where our code is now located. Once we reach the end of main and it tried to return it jumps to our code, and execs a shell. -- CERT Reports say 65 % of threats are buffer overflows

Other attacks There are innumerable types of other attacks. Focus is on the two discussed here, since they constitute many of the major headlines today. A vast majority of other types of attacks are caused by programming flaws. –Bad programming in C is also a reason, there are functions that don’t check bounds.

Solutions - Existing There are infinite (exaggeration!!) number of ID’s available in the market. Approach –is to monitor the network traffic. Packet Signature analysis –based on a database with information about all the known types of attacks and signatures

Secure Programming This is one of the hottest field of research in the security area. There are compilers available, that test code and mark out the parts that are insecure e.g Cyclone Focus: Make the existing code error free. That is, the libraries which use functions that don’t check bounds.

System Call traces Any task performed on a system is a sequence of system calls. The task is cut out. We have to build a profile (into a database) with the known sequences of system calls. Based on this knowledge we can deterministically say whether or not a sequence of calls is a intrusion or not.

System Call Traces - Cont’d Profiling a database with normal sequences is easy. Then we have to develop synthetically, a database that has profiles of unused programs or those rarely used. The next step is categorization of normal and deviation from normal.

Future Work How effectively this can be done in order that there is no false alarm (report a normal event as intrusion-false negative),. and no intrusion is missed (false positive) Existing methods trigger a human intervention - Automated ID’s