1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects data even if host is in NIDS blind spot Gives data specific to hosts; relevant for diagnosis Might see data after decryption

2 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Operating System Monitors Collect data on operating system events Failed logins Attempt to change system executables Attempt to change system configuration (registry keys, etc.)

3 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Application Monitors (Monitor Specific Applications) What users did in terms relevant to an application for easy interpretation Filtering input data for buffer overflows Signatures of application-specific attacks

4 Figure 10-4: Intrusion Detection Systems (IDSs) Recap  Protocol monitor Protocol events (suspicious packets, etc.)  Operating monitor Operating system events (file changes, etc.)  Application monitor Application events (application commands issued)

5 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Weaknesses of Host IDSs Limited Viewpoint; Only see events on one host If host is hacked, Host IDS can be attacked and disabled

6 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Other host-based tools File integrity checker programs  Create baseline message digests for sensitive files  After an attack, recompute message digests  This tells which files were changed; indicates Trojan horses, etc.

7 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Other host-based tools Operating system lockdown tools  Limits changes possible during attacks  Limits who may make crucial changes  May interfere with software functioning

8 Figure 10-4: Intrusion Detection Systems (IDSs) Log Files  Flat files of time-stamped events  Individual logs  Integrated logs Aggregation of event logs from multiple IDS agents (Figure 10-7) Difficult to create because of format incompatibilities Time synchronization of IDS event logs is crucial (NTP) Can see suspicious patterns in a series of events across multiple devices

9 Figure 10-7: Event Correlation for an Integrated Log File Sample Log File (Many Irrelevant Log Entries Not Shown) 1. 8:45:05. Packet from to (network IDS log entry) 2. 8:45:07. Host Failed login attempt for account Lee (Host log entry) 3. 8:45:08. Packet from to (network IDS log entry) 4. 8:49:10. Packet from to (network IDS log entry) 5. 8:49:12. Host Failed login attempt for account Lee (Host log entry) External Host Internal Host

10 Figure 10-7: Event Correlation for an Integrated Log File Sample Log File (Many Irrelevant Log Entries Not Shown) 6. 8:49:13. Packet from to (network IDS log entry) 7. 8:52:07. Packet from to (network IDS log entry) 8. 8:52:09. Host Successful login attempt for account Lee (Host log entry) 9. 8:52:10. Packet from to (network IDS log entry) 10. 8:56:12. Packet from to TFTP request (network IDS log entry) 11. (no corresponding host log entry) 12. 8:56:28. Series of packets from to TFTP response (network IDS) 13. (no more host log entries)

11 Figure 10-7: Event Correlation for an Integrated Log File Sample Log File (Many Irrelevant Log Entries Not Shown) 14. 9:03:17. Packet from to SMTP (network IDS) 15. 9:06:12. Packet from to SMTP (network IDS) 16. 9:10:12. Packet from to TCP SYN=1, Destination Port 80 (network IDS) 17. 9:10:13: Packet from to TCP SYN=1, Destination Port 80 (network IDS)

12 Figure 10-4: Intrusion Detection Systems (IDSs) Analysis Methods  Static packet filtering  Stateful filtering  Full protocol decoding (filters based upon stage in dialogue—login, etc.)  Statistical analysis (frequency thresholds for reporting)  Anomaly detection (compares normal and current operation) Creates many false positives