Intrusion Detection CSEM02 University of Sunderland Harry R. Erwin, PhD
Resources B. Schneier, 2000, Secrets and Lies, Wiley, ISBN: E. Amoroso, 1999, Intrusion Detection, Intrusion.net, ISBN: R. G. Bace, 2000, Intrusion Detection, Macmillan Technical Publishing, ISBN: We will mostly follow Schneier in this lecture.
Intrusion Detection Systems (IDS) Network Monitors—watch your network looking for suspicious behavior Often but not always based on Audit Provide reactive rather than proactive security Alert on successful and ongoing attacks Need to be accurate in detecting attacks and in determining that an attack is not underway. Also may provide diagnosis tools.
The False Alarm Problem Base rate fallacy—suppose you have a test that is 99% accurate. Is this good? Not necessarily! Suppose the real attack rate is 1x This test will generate 10,000 false positives for every real attack it detects. (Work it out…) If network attacks are rare, a test has to be powerful to be useful.
The Timely Notification Problem You may want to be warned in time to do something, but… What about slow attacks? When should the IDS become suspicious and tell you? What about ambiguous evidence? Do you want to be warned about borderline cases?
The Response Problem What do you do if you do hear an alarm? I.e., the problem with giving out general warnings of terrorist activity. Options include: –Wait –Collect more information –Do something –Hope it goes away You may be too busy fighting alligators to do anything intelligent about draining the swamp.
Approaches to Building an IDS Misuse detection –IDS knows what an attack looks like and looks for it. –“Network virus scanner” –Fast, easy to build, has a low false positive rate. –Misses a lot and is easy to fool. –Probably will get better over time.
Approaches to Building an IDS (II) Anomaly detection –Generates a statistical or neural network model of the network to figure out what is normal –Sounds an alarm for abnormal activity –Uses AI: Bayesian statistics Neural networks Expert systems
Problems with Anomaly Detection Does the training data include an attack? Then hacking will be considered normal. 8( New things happen on networks all the time. Successful retraining of an existing AI system to handle this is a hard problem, worth a PhD. 8( How can it categorize attacks? That requires expert input. 8( False positives are much higher. 8( Attack indicators are brittle, so that hackers can sneak past them. 8(
Inline versus Audit-Based IDS Should the IDS detect attacks in real-time or using audit log processing? –Inline will have incomplete data. –Inline is also computationally expensive. –Audit log processing is after the fact. –Audit log formats vary quite a bit. –A combined approach is feasible, but costly.
Host-Based versus Network- Based IDS Network-based IDS is basically wire- tapping –Stealthy –Operating-system independent Host-based IDS uses audit logs –From workstations, servers, switches, routers, etc. –Product-specific.
Make or Buy Do your own monitoring or pay someone else? –Counterpane –Qinetiq –Other vendors important, too. –SRM is a local company that does this. Trust issues particularly important. Inhouse expertise requirement.
Honey Pots and Burglar Alarms Burglar alarms are resources on the network that generate an alarm if accessed incorrectly. Honey pots are burglar alarms dressed up to look attractive. May incorporate subnetworks and dummy computers. –Costly –Have to look real to the attackers –Legality important. Entrapment may be an issue, so intruders must be warned. Read See also
Incident Handling Issues Be prepared Have procedures Don’t panic Call in the police? Expectation management Damage control Dealing with witch hunts
IDS Requirements Must be: –Effective –Easy to use –Adaptable –Robust –Fast –Efficient –Safe
Future IDS Needs Should be: –Accommodating –Security enhancing –Scalable –Realistic –Hardened
Conclusions We aren’t there yet, But any IDS system is better than none at all. This is the place to be if you want to work on secure systems development.