1. Intrusion Detection Dr. Gregory Vert

2. Intrusion Detection Definition: –Detection of an attack While it is going on Shortly after it has occurred

3. Intrusion Detection Goal: –To thwart the attack –Conduct forensic investigation –Minimize damage –Learn how attack was conducted and improve system security

4. Intrusion Detection General Theory behind ID –Actions of normal system processes and users conform to a pattern that can be defined mathematically –Users and processes are not trying to break the system –Users and processes have a set of defined privileges and actions

5. Intrusion Detection In order to do intrusion detection build a system that monitors for changes in the previous assumptions Example –90 % of cpu usage occurs between 8-5pm –Users don’t usually browse the password files –More than 3 failed login attempts my be an attack because users usually log in on the first time

6. Intrusion Detection Attack tools are –How systems are usually attacked –Are usually a piece of existing software –Are generally automated Want volume in an attack Want to look at many computers and find a few that are not secure Want the computer to do the bulk of the work on the attack

7. Intrusion Detection Example of Attack Tool –Root kits Replace existing operating system file Sniff passwords and network connections Run with root privilege E.g. ls, du, netstat, ifconfig (network device configurations) Run concealed Allow access to the hacker through a back door

8. Denning –Hypothesis that exploitation of vulnerabilities requires abnormal use of existing commands –Therefore look for abnormality in command usage on system –Key idea behind detection Intrusion Detection

9. Intrusion Detection Systems (IDS) –An automated system that looks for abnormal patterns in: system commands, usages Volumes Access to locations in system Failures

10. Intrusion Detection An IDS must be automated because –System logs contain tons and tons of information –Often looking for 5-20 abnormal changes in 5000 lines of data –Slow attacks even worse to detect because Actions happen over extended period of times Logs don’t show adjacent sequences of activities

11. Intrusion Detection Good IDS has 4 characteristics (Bishop) –Detects a wide variety of attacks Not as simple as it sounds How can you detect an attack if you don’t know how it works and have never seen one before Class Ideas ?

12. Intrusion Detection Good IDS’s have 4 characteristics –Detect attacks in timely fashion How fast is fast enough Discussion ? Real time systems may bog down processing –Which is an attack in its own right –A denial of service attack

13. Intrusion Detection Good ID’s have 4 characteristics –Must present analysis in a clear simple format Problems: False Positives –Thinks an attack is going on when it really is not False Negatives –Does not think an attack is going on when it really is

14. Intrusion Detection Good ID’s have 4 characteristics –Must be accurate The false X problem previous slide –We only want to respond to the real stuff because: Time consuming May lead to actions that damage system without cause Draws resources away from dealing with a real attack that could start as you are investigating

15. Intrusion Detection Three systems models for an IDS –Anomaly detection –Misuse detection –Specification detection new

16. Intrusion Detection Anomaly detection –Assumes that unexpected behavior is evidence of an attack –Compare set of variables and their values to a known set of variables –Tries to reason about an attack based on data does not match –Usually done with statistics but could be done with other variable techniques also

17. Intrusion Detection Anomaly Detection –Threshold approach When an variable(s) are above a certain level determine an attack Example: – number of failed logins for a given user id in 10 minutes –disk usage –# of packets on port x in time period n

18. Anomaly Detection Threshold approach problems –Users have different skill levels Example an asian user of an english comptur system Class ? –One threshold generally applied to all –However approach can penalize new users by locking them out of the system

19. Anomaly Detection Statistical Moment Approach –Instead of setting a threshold, calculate: Average Means Standard deviations –Look for deviations from these variable

20. Anomaly Detection Statistical Moment Approach –Problems Data may change over time in unexpected ways –New users –Users become smarter Need to age data somehow to show how system is changing How do we do this ? Generally a better system than thresholds May use an expert system (Haystack, IDES)

21. Anomaly Detection State Machine Model –Series of events occur in regular sequences –Certain events are more like to follow other events – state transitions –When a low probability transition occurs then it is probably anomalous –Draw: login, cd home dir -> open word processor –Can be utilized in system calls: open, read, write, close

22. Anomaly Detection State Machine –Problems Need to know the events and sequences ahead of time Need training data System may change based on addition of new software Can only be run on the computer from which the training data is derived

23. Anomaly Detection What features and data variables to watch is critical in the success of AD Frank demonstrated that selection of the “best” features for a network activity classification program could be based on eliminating features based on the error rate they induce in classification of activity –He found that about 5 features was right for his study

24. Anomaly Detection Generally assumes a gaussian distribution –A bell curve that shows what is normal Some systems may cluster data by related values such as “read time” for a file and “cpu usage” for the read –Outliers – values that don’t fit into a cluster then can be an attack –Draw

25. Misuse Detection An attack by an insider who generally has authorized access Is rule based Looks for sequences of commands that knowing violate policy Example

26. Misuse Detection Rules are placed into a rule set Ids processes rules against system logs looking for violations of the rules Often involve expert systems because rules can be ambigous

27. Misuse Detection Cant detect attacks that are unknown –the attacks sequence of rule violations is not known Can enhance systems to make them adaptive via petri nets

28. Misuse Detection IDIOT – Spafford, uses petri nets Defines –events – a change in system state a record of the event –transitions from one state to another on an event –transitions may have tests (guards) that check for existence of variables in certain states and / or make assignments –Can have separate transition branches that merge –Draw

29. Misuse Detection IDIOT classified attacks by categories: –existence – attack creates a file –sequence – attack causes several events to occur sequentially –partial order – attack causes two or more sequences of events that form an ordering over time –interval – two events occur exactly n units of time apart

30. Misuse Detection IDIOT –monitors audit trail logs –STAT a similar system Ilgun No guards uses state tables looks at the sequence of command to e.g. get a forbidden priveledge

31. Specification Modeling Misuse detection looks for states known to be bad Specification modeling looks for states known to not be good – a possible intrusion Builds specifications for how a program should run Examines program for deviations from good states

32. Specification Modeling Ko developed a specification based IDS Monitored 15 security related programs Monitored on things like: –object access –synchronization of data –sequences of commands –race conditions

33. Specification Modeling They looked at rdist (remote distribution) Rdist updates programs on remote systems Problem is that rdist modifies permissions on files –replacing a file with a symbolic link to another file, can get rdist to change permissions on that file

34. Specification Modeling SM –utilizes grammars to specify actions –grammars define acceptable activities –is a relatively new field –because it specifies what should happen unknown attacks can be detected –Class drawbacks ?

35. Summary Misuse detection –detects violations of policy, implicit or explicit –need to develop rules, states, actions etc. –must have in a rule base –only detects attacks that are known

36. Summary Anomaly Detection –detects policy violations also –little more generalized than Misuse detection –uses statistics to find deviations

37. Summary Specification Modeling –must have rules for how a good program is operating –need experts to define rules –can detect unknown attacks

38. Architecture IDS works off of audit trails Audit trails found in logs Best to collect log data from all over the system due to distributed attacks Generally constructed in 3 subsystems

39. Architecture Agent –an relatively autonomous piece of software that collects data from a local machine –may format the data why ? –sends the data to a centralized system –may weed data that is not deemed to be important

40. Architecture Agents can be: –host based utilize system and application logs may be security logs or accounting logs a virtual agent can be in the kernel and write data to logs it finds interesting logs can be very large

41. Architecture Agents can be –networked based use devices and software to monitor network traffic used to detect network based attacks utilize sniffing monitor contents of packets must be arranged in a way to provide full network coverage encipherment makes this task a problem

42. Architecture Agents send formatted information to the director software Directors –eliminate unnecessary log entries –utilize an analysis engine to find attacks –usually are run on a separate system –adaptive directors may alter search rules (neural network)

43. Architecture Notifier –accepts information from the director and takes appropriate action –may notify a security officer via a gui –may be proactive in combating an attack

44. Systems to Look At Courtney – monitors for use of SATAN SATAN – system for finding weaknesses in Unix IDIP – coordinates IDS’s on firewalls to block attacks NSM – develops profiles of system usage and compares against profiles e.g. repeated telnet connections of short duration

45. Systems to Look At DIDS – distributed IDS based on NSM and works in conjunction with host based IDS’s –NSM is network based only AAFID – autonomous agents that report data, distributes components of IDS into pieces –eliminates a single point of failure, director is distributed

46. Incident Response Ideally you want to –detect attack as it starts –take defensive measures –work automatically –can be very system resource intensive why ?

47. Incident Response Definition: –Jailing placing an attacker in a confined area of the system letting them think that they are inside the system allows one to observe the hacker sometimes referred to as a honey pot usually has a faked file system may intercept system calls and do something (kernel)

48. Incident Response Goal –to restore system to comply with security policy –replace / fix damaged resources

49. Incident Response Six phases: –preparation procedures and methods for detection backups –identification id the attack trigger for following phases

50. Incident Response Containment –limits the damage as much as possible –may not be possible if you have a real time system –attacks generally probe for a while and then do damage –you can get a chance to contain if you detect probing

51. Incident Response Eradication –stops attack if done in real time –puts mechanisms in place to thwart other attacks Recovery –restores system to pre atttack configuration –must detect what has been modified

52. Incident Response Response – Follow up –taking action against the attacker forensic investigation counter attack law enforcement –fixing holes in your system –documentation of lessons learned –documentation of attack details

53. Details Containment –approaches passive monitoring –meant to record actions for later use –examine goals and techniques of hacker –a honeypot constraining actions of hacker –goal to prevent hacker from accomplishing aims –problem, may not know what the goal is

54. Details Eradication –goal to stop the attack –must insure it does not resume immediately –my block attacks by placing wrappers around a suspected target –wrappers control access –want to embed wrappers in the kernel to make them hard to bypass –Example

55. Details Eradication –good to place wrappers at the firewall –firewalls filter network traffic –example –IDIP – intrusion detection and isolation protocol are firewalls work to communicate directly with each other coordinate a response to an attack

56. Details Follow up –most common is to follow up with legal action –how to trace the attack for follow up thumb printing –monitor connections between any two host –check for similar content moving across the connections –method allows you to trace back to the source of the attack –hackers may move through multiple hosts before attacking –software needs to be small, effective and fast

57. Details Follow Up –may use IP header marking examine and mark contents of headers to trace an attack back to source don’t want to do this for every packet deterministic marking – marks every n packets using an algorithm marking is done in extra bits that are not utilized in ip headers

58. Details Follow Up –counter attacking filing criminal complaints –requires good chain of evidence to establish that attack was real – not an accident or error technical attack –goal is to damage their system –problems »may harm innocent parties »may have side effects – denial of service »may get you in trouble legally