1. 1 Advances in Network Security Case Study: Intrusion Detection Max Lakshtanov Comp 529T 7-10

2. 2 Intrusion Detection Introduction and Background Overview of Mobile Agents Mobile Agents VS. Intruders Other Intrusion Detection Techniques Conclusion Questions

3. 3 Network Security: preventive and reactive Preventive approach: Prevent intrusions from occurring User authentication – logins and passwords Firewalls – filter network traffic Reactive approach: Intrusion Detection System (IDS) How to detect intrusions How to respond

4. 4 Firewalls Firewall is a security device that allows limited access out of and into one’s network from the Internet Piece of hardware connected to a network for protection Only permits approved traffic in and out of one’s local site Allows administrator to select applicable services necessary to one’s business and screens out the rest

5. 5 Types of Attacks Mobile worker Web site Hacker Supplier Branch Office Mail server Manufacturing Engineering HR/Finance Corporate Intranet Hacker Internet

6. 6 Why firewalls are not enough? Not all access to the Internet occurs through the firewalls Not all threats originate from outside the firewall Firewalls are subject to attack themselves Little protection against data-driven attacks (i.e. virus-infected programs or data files, as well as malicious Java applets and ActiveX controls)

7. 7 What is an Intrusion Detection System? Concept established in 1980 by J. P. Anderson Abbreviated as IDS, it is a defense system, which detects hostile activities in a network IDS complements firewalls by allowing a higher level of analysis of traffic on a network, and by monitoring its behavior of the sessions on the servers Helps computer and network systems prepare for and deal with an attack

8. 8 Basic Intrusion Detection Target System Intrusion Detection System Intrusion Detection System Infrastructure Monitor Respond Report

9. 9 Desirable characteristics Run continually Fault tolerant Resist subversion Minimal overhead Configurable Adaptable Scalable Provide graceful degradation of service Allow dynamic reconfiguration

10. 10 What does an IDS do? IDS inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack In a passive system, the IDS detects a potential security breach, logs the information and signals an alert In a reactive system, the IDS logs off a user or reprograms the firewall to block network traffic from the suspected malicious source

11. 11 First major type of IDS Host based IDS loaded on each protected asset make use of system resources disk space, RAM, CPU time detect host-related activity analyze operating system, application, and system audit trails can be self-contained or remotely managed some attacks cannot be detected at a single location

12. 12 Host based IDS

13. 13 Second major type of IDS Network based IDS monitor activity on a specific network segment usually dedicated platforms with two components: Sensor – passively analyzes network traffic Management system displays alarm information configure the sensors perform rules-based or expert system analysis high network load scalability problems problems with encrypted communication

14. 14 Network based IDS

15. 15 Audit Data Example From Operating System Shell command records From Network Network connection records

16. 16 What are False Positives? Occur when the system classifies an action as a possible intrusion when it is a legitimate action Any alert that was triggered incorrectly alerts about telnet connections that are legitimate Common Causes Abnormal traffic patterns Too much traffic (High Bandwidth Connections) Incorrectly configured software Results Tend to clutter up the displays Attacker may use this to cause DoS attacks using auto responses

17. 17 Analysis Techniques Misuse Detection predetermined knowledge base high levels of detection accuracy minimal number of false positives Problems relies heavily on the thorough and correct construction of this knowledge base variations of known attacks intrusions not in knowledge base traditionally requires human domain experts

18. 18 Analysis Techniques Anomaly Detection events unlike normal system behavior variety of techniques including statistical modeling neural networks hidden Markov models baseline model that represents normal system behavior against which anomalous events can be distinguished threshold of the range of normal behavior

19. 19 Anomaly Detection Advantages ability to identify new and previously unseen attacks automated, do not require expert knowledge of computer attacks Problems attacks that resemble normal behavior higher numbers of false positives all anomalous events assumed to be intrusive false positive if implementation errors

20. 20 Unrealistic Expectations They are not silver bullets for security They can not compensate for weak identification and authentication mechanisms They can not conduct investigations of attacks without human intervention They can not compensate for weakness in network protocols, applications, systems,…. They can not analyze all of the traffic on a network They can not always deal with problems involving packet-level attacks

21. 21 Problems of existing monolithic IDS Central data collection and analysis Single point of failure Network traffic Computational workload Ad Hoc Networks Possibility of distributed, coordinated attacks Lack of common vocabulary or standards

22. 22 Wireless Ad Hoc Networks Collection of mobile nodes No pre-existing communication infrastructure Each node can act as router as well as host Dynamic participation of each node No centralized authority for authentication and monitoring

23. 23 Vulnerabilities of ad hoc networks Wireless communication (open media) Cooperation among nodes is necessary (lack of centralized author.) Don’t rely on existing infrastructure Have many operational limitations: Transmission Range and Bandwidth Energy, CPU, and Memory Autonomous units capable of roaming independently easily captured and compromised without physical protection very expensive and not scalable if physically protected

24. 24 Vulnerabilities of ad hoc networks Usually used in situations where rapid deployment is necessary Usually deployed in hostile (not physically protected) places Dynamic topology change (due to mobility) Lack of key concentration points (e.g. switches and routers) No firewalls or gateways Difficult to distribute and update signatures (detection database)

25. 25 ID Techniques Mobile Agents Haystack Algorithm Indra Detection at network layer Multi-layer detection

26. 26 What are Mobile Agents? executing programs that can migrate from machine to machine in a heterogeneous network under their own control correlate all suspicious events occurred in different monitored hosts may have these characteristics: autonomous goal-driven reactive social adaptive mobile

27. 27 Mobile Agent Characteristics can be programmed to satisfy one or more goals move independently from one device to another on a network generally serializable and persistent provide more accurate alarms dynamically increase/reduce the suspicion level of certain host or login user evade attackers can resurrect themselves if attacked

28. 28 Components Two Components Agent Agent Platform The mobile agent contains code and state information needed for carrying out computation tasks on an agent platform

29. 29 Advantages of Mobile Agents Reducing Network Load - move logic, not data Overcoming Network Latency - agents operate directly on the host Autonomous Execution - still function when portions of the IDS get destroyed or separated Platform Independence - inserts an OS independent layer between the hosts and the IDS using agents Dynamic Adaption - reconfigure at run-time Upgradability - signature database and the detection algorithms are up-to-date Scalability – reduce computational and network load

30. 30 Problems of Mobile Agents Security - several security implications that must be considered: the host (and the agent platform) must be protected against malicious code certificates, digital signatures agents can be modified/eavesdropped when they move over the network encrypting agents mobile agents can be attacked by a malicious agent platform itself difficult to fight when agents need unrestricted movement around the network

31. 31 Problems of Mobile Agents Code Size Complex piece of software Agents might get large Transferring agent’s code over the network takes time Only needed once, when hosts store agent code locally Performance Often written in scripting or interpreted languages to be easily ported between different platforms. This mode of execution is very slow compared to native code. As an IDS has to process a large amount of data under very demanding timing constraints (near real-time), the use of MAs could degrade its performance.

32. 32 IDSs using agents Autonomous Agents For Intrusion Detection (AAFID) at Purdue Local Intrusion Detection System (LIDS) Mobile Agent Intrusion Detection Systems (MAIDS) Intrusion Detection Agent System (IDA) at IPA, Japan

33. 33 MA Systems - AAFID AAFID: Autonomous Agents for Intrusion Detection

34. 34 The problem Monolithic IDS Limited scalability Single point of failure Difficult configurability Prone to insertion and evasion attacks IDS Host

35. 35 AAFID architecture Distributed data collection and analysis Autonomous agents Independent entities Hierarchical structure

36. 36 System Architecture D E C B A UI Agents Monitors Transceivers Control Data Filters

37. 37 Communications organization UI A B C D E

38. 38 What is an Agent? Independently-running entity Usually a separate process or thread Can keep state May perform arbitrary actions Can be very simple or very complex May exchange data with other entities

39. 39 What is a Transceiver? Communications backbone for a host Handles all the agents in a host May do processing on data received from agents Interacts with a monitor

40. 40 What is a Monitor? Highest level entity Main control and data processing entity Handles one or more transceivers Can control other monitors Can be connected hierarchically to other monitors May interact with a user interface

41. 41 What is a Filter? Platform and OS specific entity Extract necessary data providing hardware and OS abstraction layer Subscription-based mechanism Allows for increased portability of agents

42. 42 AAFID2 prototype Road-test the architecture Focus on usability and flexibility Run-time distribution of code Little focus on performance Provides infrastructure for development Uses pipes and TCP for communication Implemented in Perl5 Easy portability, easy to install and run it

43. 43 Development support APIs for development of Agents and Filters Code generation tool for agents already exists The APIs implement generic behavior, so implementers only need to add specific functionality.

44. 44 Graphical User Interface Very simple support for starting and controlling entities Implemented in Perl/Tk Current status: Prototype distributed to the public ftp://coast.cs.purdue.edu/pub/coast/AAFID/ http://www.cs.purdue.edu/coast/projects/auto nomous-agents.html

45. 45 Performance impact Measurements on 22 machines in the COAST lab over 14 hours. Sparc LX, Sparc 5, Sparc 10, Ultra 1, Ultra 2 On average:

46. 46 Detection ARP cache poisoning Writable user and configuration files Suspicious sequences of commands Accesses to network services Health of system services Repeated login failures Configuration problems in ftp and www servers

47. 47 Benefits of AAFID Graceful degradation of service Scalability Easier to modify configuration Information can be collected at the end host Can combine host-based and network- based approaches to intrusion detection

48. 48 Drawbacks of AAFID Monitors may still be single points of failure Solution: Hierarchical structure, redundancy Ensure consistent information among redundant monitors Detection of intrusions at monitor level delayed until all information reaches the monitor Difficult to keep global state Data reduction is not implemented correctly Still creates a lot of network traffic More difficult to do failure tolerance

49. 49 MA Systems - LIDS LIDS: Local Intrusion Detection System

50. 50 ID in ad hoc wireless network Mobile Agents LIDS

51. 51 Features of LIDS Reliable Flexible Behavior based Blackboard-based architecture Controlled by autonomous agents Learning and adapting capability Low maintenance cost Uses building blocks of computational intelligence as intrusion analyzer Low rate of false positives

52. 52 ID Systems Other intrusion detection techniques

53. 53 Haystack Algorithm Host-based system A statistical anomaly detection algorithm Requires a designated node to act as a central administrator Uses audit trail generated from host Analyzes users’ session vectors Weight-scoring with threshold vectors Able to detect several types of intrusions

54. 54 Indra - Intrusion Detection and Rapid Action A Peer-to-peer Approach Makes use of cross-monitoring or “neighborhood watch” Information on attempted attacks gathered by intended victims Victim notify adjacent hosts on attack or peer nodes detect attack and sound alarm Uses daemons Web-of-trust model for certification of nodes

55. 55 Detection at network layer Watchdog Verify that next node in path forwards packet Listening in promiscuous mode Control Messages Adding two control messages to DSR protocol Neighborhood Watch Observing route protocol behavior Listening to transmission of next node Alarm messages

56. 56 Multi-layer IDS (mIDS) Detection on one layer can be initiated or aided by evidence from other layers. Aggregation of evidence allows a more informed decision Improved performance – higher true positive and lower false positive rates

57. 57 Conclusion Mobile Agent Benefits  Run continually  Fault tolerant  Resist subversion  Minimal overhead  Configurable  Adaptable  Scalable  Provide graceful degradation of service  Allow dynamic reconfiguration

58. 58 Questions & Answers Mobile Agents For Intrusion Detection