Detection Intrusion, Malware, and Fraud

2 Intrusion Detection Systems Development of IDSs is to address increasing numbers of network attacks An IDS looks for anomalies that differ from an established baseline IDSs categorized as  Signature-based  Anomaly-based

3 What is IDS? The ideal Intrusion Detection System will notify the system/network manager of a successful attack in progress:  With 100% accuracy  Promptly (in under a minute)  With complete diagnosis of the attack  With recommendations on how to block it …Too bad it doesn’t exist!!

4 Objectives: 100% Accuracy and 0% False Positives A False Positive is when a system raises an incorrect alert  “The boy who cried ‘wolf!’” syndrome 0% false positives is the goal  It’s easy to achieve this: simply detect nothing 0% false negatives is another goal: don’t let an attack pass undetected

5 Objectives: Prompt Notification To be maximally accurate the system may need to “sit on” information for a while until all the details come in  e.g.: Slow-scan attacks may not be detected for hours  This has important implications for how “real-time” IDS can be!  IDS should notify user as to detection lag

6 Objectives: Prompt Notification (cont) Notification channel must be protected  What if attacker is able to block notification mechanism?  An IDS that uses to notify you is going to have problems notifying you that your server is under a denial of service attack!

7 Objectives: Diagnosis Ideally, an IDS will categorize/identify the attack  Few network managers have the time to know intimately how many network attacks are performed

8 Objectives: Recommendation The ultimate IDS would not only identify an attack, it would:  Assess the target’s vulnerability  If the target is vulnerable it would notify the administrator  If the vulnerability has a known “fix” it would include directions for applying the fix This requires huge, detailed knowledge

9 IDS: Pros A reasonably effective IDS can identify  Internal hacking  External hacking attempts May act as a backstop if a firewall or other security measures fail

10 IDS: Cons IDS’ don’t typically act to prevent or block attacks  They don’t replace firewalls, routers, etc. If the IDS detects trouble on your interior network what are you going to do?  By definition it is already too late

11 Paradigms for Deploying IDS Attack Detection Intrusion Detection

12 Internal Network Internet Router w/some screening Firewall DMZ Network WWW Server Desktop Attack Detection IDS detects (and counts) attacks against the Web Server and firewall IDS

13 Attack Detection Placing an IDS outside of the security perimeter records attack level  Presumably if the perimeter is well designed the attacks should not affect it!  Still useful information for management (“we have been attacked 3,201 times this month…)  Prediction: The AD will generate a lot of noise and be ignored quickly

14 Internal Network Internet Router w/some screening Firewall DMZ Network WWW Server Desktop Intrusion Detection IDS detects hacking activity WITHIN the protected network, incoming or outgoing IDS

15 Intrusion Detection Placing an IDS within the perimeter will detect instances of clearly improper behavior  Hacks via backdoors  Hacks from staff against other sites  Hacks that got through the firewall When the IDS alarm goes off, it’s a red alert

16 Attack vs Intrusion Detection Ideally do both Realistically, do ID first then AD The real question here is one of staffing costs to deal with alerts generated by AD systems

17 IDS Data Source Paradigms Host Based Network Based

18 Host Based IDS Collect data usually from within the operating system  C2 audit logs  System logs  Application logs Data collected in very compact form  But application / system specific

19 Host Based: Pro Quality of information is very high  Software can “tune” what information it needs  Kernel logs “know” who user is Density of information is very high  Often logs contain pre-processed information

20 Host Based: Con Capture is often highly system specific  Usually only 1, 2 or 3 platforms are supported (“you can detect intrusions on any platform you like as long as it’s Solaris or NT!”) Performance is a wild-card  To unload computation from host logs are usually sent to an external processor system

21 Network Based IDS Collect data from the network or a hub / switch  Reassemble packets  Look at headers Try to determine what is happening from the contents of the network traffic  User identities, etc inferred from actions

22 Network Based: Pro No performance impact No management impact on platforms Works across O/S’ Can derive information that host based logs might not provide (packet fragmenting, port scanning, etc.)

23 Network Based: Con May lose packets on flooded networks May mis-reassemble packets May not understand O/S specific application protocols (e.g.: SMB) May not understand obsolete network protocols (e.g.: anything non-IP) Does not handle encrypted data

24 IDS Paradigms Anomaly Detection - the AI approach Misuse Detection - simple and easy Hybrids - a bit of this and that

25 Anomaly Detection Goals:  Analyse the network or system and infer what is normal  Apply statistical or heuristic measures to subsequent events and determine if they match the model/statistic of “normal”  If events are outside of a probability window of “normal” generate an alert (tuneable control of false positives)

26 Anomaly Detection (cont) Typical anomaly detection approaches:  Neural networks - probability-based pattern recognition  Statistical analysis - modelling behavior of users and looking for deviations from the norm

27 Anomaly Detection: Pro If it works it could conceivably catch any possible attack If it works it could conceivably catch attacks that we haven’t seen before  Or close variants to previously-known attacks Best of all it won’t require constantly keeping up on hacking technique

28 Anomaly Detection: Con Current implementations don’t work very well  Too many false positives/negatives Cannot categorize attacks very well  “Something looks abnormal”  Requires expertise to figure out what triggered the alert  Ex: Neural nets can’t say why they trigger

29 Anomaly Detection: Examples Most of the research is in anomaly detection  Because it’s a harder problem  Because it’s a more interesting problem There are many examples, these are just a few  Most are at the proof of concept stage

30 Misuse Detection Goals:  Know what constitutes an attack  Detect it

31 Misuse Detection (cont) Typical misuse detection approaches:  “Network grep” - look for strings in network connections which might indicate an attack in progress

32 Misuse Detection: Pro Easy to implement Easy to deploy Easy to update Easy to understand Low false positives Fast

33 Misuse Detection: Con Cannot detect something previously unknown Constantly needs to be updated with new rules Easier to fool

34 Hybrid IDS The current crop of commercial IDS are mostly hybrids  Misuse detection (signatures or simple patterns)  Expert logic (network-based inference of common attacks)  Statistical anomaly detection (values that are out of bounds)

35 Hybrid IDS (cont) At present, the hybrids’ main strength appears to be the misuse detection capability  Statistical anomaly detection is useful more as backfill information in the case of something going wrong  Too many false positives - many sites turn anomaly detection off

36 Intrusion Detection Systems (Cont.) Common IDS solutions available today:  Cisco Secure IDS  Enterasys™ Dragon ®  Elm 3.0  GFI LANguard S.E.L.M  Intrust Event Admin  Snort ®  Tripwire  eTrust ®

37 Network Forensics Abuse With an IDS system anyone can:  Spy on users’  Capture passwords  Know what Web pages were viewed  Covertly see the contents of a customer’s shopping cart

38 Examining Data Verifying the integrity of the data  There are guidelines that can help ensure the integrity of network data: Logs Time/date stamps IDS alerts