Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 480: Securing Computer Systems

Published byAsher Morris Modified over 6 years ago

Similar presentations

Presentation on theme: "CIT 480: Securing Computer Systems"— Presentation transcript:

1 CIT 480: Securing Computer Systems
Intrusion Detection CIT 480: Securing Computer Systems

2 CIT 480: Securing Computer Systems
Topics Definitions and Goals Models of Intrusion Detection False Positives Architecture of an IDS Example IDS: snort Active Response (IPS) Host-based IDS and IPS IDS Evasion Techniques CIT 480: Securing Computer Systems

3 CIT 480: Securing Computer Systems
IDS Terminology Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources) Intrusion detection The identification through intrusion signatures and report of intrusion activities Intrusion prevention The process of both detecting intrusion activities and managing automatic responsive actions throughout the network CIT 480: Securing Computer Systems

4 CIT 480: Securing Computer Systems
Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks. Need to adapt to new attacks or changes in behavior. Detect intrusions in timely fashion May need to be be real-time, especially when system responds to intrusion. Problem: analyzing commands may impact response time of system. May suffice to report intrusion occurred a few minutes or hours ago. CIT 480: Securing Computer Systems

5 CIT 480: Securing Computer Systems
Goals of IDS Present analysis in easy-to-understand format. Ideally a binary indicator. Usually more complex, allowing analyst to examine suspected attack. User interface critical, especially when monitoring many systems . Be accurate Minimize false positives, false negatives. Minimize time spent verifying attacks, looking for them. CIT 480: Securing Computer Systems

6 Deep Packet Inspection
DPI = Analysis of Application Layer data Protocol Standard Compliance Is port 53 traffic DNS or a covert shell session? Is port 80 traffic HTTP or tunneled IM or P2P? Protocol Anomaly Detection Traffic is valid HTTP. But suspicious URL contains directory traversal. CIT 480: Securing Computer Systems

7 Models of Intrusion Detection
Anomaly detection (statistical) Develop profile of normal user/host actions. Alert when actions depart too far from profile. Statistical IDS. Misuse detection (rule-based) Create signatures based on attack profiles. Look for signatures, hope for no new attacks. Rule based IDS. CIT 480: Securing Computer Systems

8 Possible Alarm Outcomes
Intrusion Attack No Intrusion Attack Alarm Sounded No True Positive False Positive True Negative False Negative CIT 480: Securing Computer Systems

9 CIT 480: Securing Computer Systems
Base-Rate Fallacy Difficult to create IDS with high true-positive rate and low false-negative rate. If #intrusions small compared to normal traffic, then IDS will produce many false positives for each intrusion. Effectiveness of IDS can be misinterpreted due to a statistical error known as the base-rate fallacy. This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event. CIT 480: Securing Computer Systems

10 Base-Rate Fallacy Example
Example case IDS 99% accurate, 1% false positives or negatives IDS generates 1,000,100 log entries. Base rate is 100 malicious events of 1,000,100 examined. Results Of 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative. Of 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives! Thus, 10,099 alarms sounded, 10,000 of which are false alarms. Roughly 99% of our alarms are false alarms. CIT 480: Securing Computer Systems

11 IDS Components IDS Manager Untrusted Internet IDS Sensor Firewall
router Firewall

12 CIT 480: Securing Computer Systems
IDS Architecture An IDS is essentially a sophisticated audit system Sensors gathers data for analysis from hosts or network. Manager analyzes data obtained from sensors according to its internal rules. Notifier acts on manager results. May simply notify security officer. May reconfigure sensors or manager to alter collection, analysis methods. May activate response mechanism. CIT 480: Securing Computer Systems

13 CIT 480: Securing Computer Systems
Host-Based Sensors Obtain information from logs May use many logs as sources. May be security-related or not. May use virtual logs if agent is part of the kernel. Agent generates its information Analyzes state of system. Treats results of analysis as log data. CIT 480: Securing Computer Systems

14 Network-Based Sensors
Sniff traffic from network. Use hubs, SPAN ports, or taps to see traffic. Need sensors on all switches to see entire network. Deep packet inspection (DPI). Sensor needs same view of traffic as destination Attacker may send packets with TTL set so that they arrive at destination but expire before reaching sensor. Packet fragmentation and reassembly works differently on different OSes, so sensor sees different packet than destination in some cases. End-to-end encryption defeats content monitoring Not traffic analysis, though.

15 Aggregation of Information
Sensors produce information at multiple layers of abstraction. Application-monitoring sensors provide one view of an event. System-monitoring sensors provide a different view of an event. Network-monitoring sensors provide yet another view (involving many packets) of an event. CIT 480: Securing Computer Systems

16 CIT 480: Securing Computer Systems
Notifier Accepts information from manager Takes appropriate action Page, call, IM, or security officer. Rate-limit contacts so a single problem does not result in an overwhelming flood of notices. Respond to attack. Often GUIs Use visualization to convey information. CIT 480: Securing Computer Systems

17 CIT 480: Securing Computer Systems
Example NIDS: snort Network Intrusion Detection System Sniffs packets off wire. Checks packets for matches against rule sets. Logs detected signs of misuse. Alerts adminstrator when misuse detected. CIT 480: Securing Computer Systems

18 Example Architecture: snort
Fig 1.5, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID CIT 480: Securing Computer Systems

19 CIT 480: Securing Computer Systems
Snort Rules Rule Header Action: pass, log, alert Network Protocol Source Address (Host or Network) + Port Destination Address (Host or Network) + Port Rule Body Content: packet ASCII or binary content TCP/IP flags and options to match Message to log, indicating nature of misuse detected CIT 480: Securing Computer Systems

20 CIT 480: Securing Computer Systems
Snort Rule Example Example: rule for ssh shell code exploit alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"| |"; reference:bugtraq,2347; reference:cve,CVE ; classtype:shellcode-detect; sid:1326; rev:3;) CIT 480: Securing Computer Systems

21 CIT 480: Securing Computer Systems
IDS Deployment IDS deployment should reflect your threat model. Major classes of attackers: External attackers intruding from Internet. Internal attackers intruding from your LANs. Where should you place IDS systems? Perimeter (outside firewall) DMZ Intranet Wireless CIT 480: Securing Computer Systems

22 CIT 480: Securing Computer Systems
IDS Deployment Fig 1.3, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID Fig 3.2, The Tao of Network Security Monitoring CIT 480: Securing Computer Systems

23 CIT 480: Securing Computer Systems
Snort Web Interface CIT 480: Securing Computer Systems

24 Sguil NSM Console

25 Intrusion Prevention Systems
What else can you do with IDS alerts? Identify attack before it completes. Prevent it from completing. How to prevent attacks? Directly: IPS drops packets, kills TCP sessions. Indirectly: IPS modifies firewall rules. Is IPS a good idea? How do you deal with false positives? CIT 480: Securing Computer Systems

26 CIT 480: Securing Computer Systems
IPS Deployment Types Inline Intranet IPS Non-Inline IPS Intranet CIT 480: Securing Computer Systems

27 Active Responses by Network Layer
Data Link: Shut down a switch port. Only useful for local intrusions. Rate limit switch ports. Network: Block a particular IP address. Inline: can perform blocking itself. Non-inline: send request to firewall. Transport: Send TCP RST or ICMP messages to sender and target to tear down TCP sessions. Application: Inline IPS can modify application data to be harmless: /bin/sh -> /ben/sh CIT 480: Securing Computer Systems

28 CIT 480: Securing Computer Systems
Host IDS and IPS Anti-virus and anti-spyware AVG anti-virus, SpyBot S&D Log monitors swatch, logwatch Integrity checkers tripwire, osiris, samhain Monitor file checksums, etc. Application shims mod_security (usually called a WAF) CIT 480: Securing Computer Systems

29 CIT 480: Securing Computer Systems
Evading IDS and IPS Alter appearance to prevent sig match URL encode parameters to avoid match. Use ‘ or 783>412-- for SQL injection. Alter context Change TTL so IDS sees different packets than target hosts receives. Fragment packets so that IDS and target host reassemble the packets differently. CIT 480: Securing Computer Systems

30 Fragment Evasion Techniques
Flood of fragments DoS via heavy use of CPU/RAM on IDS. Tiny fragment Break attack into multiple fragments, none of which match signature. ex: frag 1:“cat /etc”, frag 2: “/shadow” Overlapping fragments Offset of later fragments overwrites earlier fragments. ex: frag 1: “cat /etc/fred”, frag 2: offset=10, “shadow” Different OSes deal differently with overlapping. CIT 480: Securing Computer Systems

31 Web Evasion Techniques
URL encoding GET /%63%67%69%2d%62%69%6e/bad.cgi /./ directory insertion GET /./cgi-bin/./bad.cgi Long directory insertion GET /junklongdirectorypathstuffhereuseless/../cgi-bin/bad.cgi IDS may only read first part of URL for speed. Tab separation GET<tab>/cgi-bin/bad.cgi Tabs usually work on servers, but may not be in sig. Case sensitivity GET /CGI-BIN/bad.cgi Windows filenames are case insensitive, but signature may not be. CIT 480: Securing Computer Systems

32 CIT 480: Securing Computer Systems
Countering Evasion Keep IDS/IPS signatures up to date. On daily or weekly basis. Use both host and network IDS/IPS. Host-based harder to evade as runs on host. Fragment attacks can’t evade host IDS. Network IDS still useful as overall monitor. Tune IDS/IPS to handle based on experience False positives False negatives CIT 480: Securing Computer Systems

33 CIT 480: Securing Computer Systems
Key Points Models of IDS: Anomaly detection: unexpected events (statistical IDS.) Misuse detection: violations of policy (rule-based IDS). IDS Architecture: sensors, manager, notifier. Host vs. Network IDS Host: agent on host checks files, processes to detect attacks. Network: sniffs and analyzes packets to detect intrusions. IPS Stop intrusions, but what about false positives? Inline vs. non-inline: how do prevention techniques differ? IDS/IPS Evasion Alter appearance to avoid signature match. Alter context to so IDS interprets differently than host. CIT 480: Securing Computer Systems

34 CIT 480: Securing Computer Systems
References Richard Bejtlich, The Tao of Network Security Monitoring, Addison-Wesley, 2004. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. The Honeynet Project, Know Your Enemy, 2nd edition, Addison-Wesley, 2004. Richard A. Kemmerer and Giovanni Vigna, “Intrusion Detection: A Brief History and Overview,” IEEE Security & Privacy, v1 n1, Apr 2002, pp Steven Northcutt and Julie Novak, Network Intrusion Detection, 3rd edition, New Riders, 2002. Michael Rash et. al., Intrusion Prevention and Active Response, Syngress, 2005. Rafiq Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID, Prentice Hall, 2003. Ed Skoudis, Counter Hack Reloaded 2/e, Prentice Hall, 2006. CIT 480: Securing Computer Systems

Download ppt "CIT 480: Securing Computer Systems"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Network Monitoring.

CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Network Monitoring.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Similar presentations

Ads by Google