Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Issues Presented by Deepa Srinivasan CSE581, Winter 2002, OGI.

Published byAmie Cooper Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Issues Presented by Deepa Srinivasan CSE581, Winter 2002, OGI."— Presentation transcript:

1 Intrusion Detection Issues Presented by Deepa Srinivasan CSE581, Winter 2002, OGI

2 Papers on this topic Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection (Jan ‘98) Network Intrusion Detection: Evasion, Traffic Normalization and End - End semantics (‘01) IP Fragmentation and fragrouter (Dec ‘00) An Achilles’ Heel in Signature-based IDS: Squealing False Positives in SNORT (‘01)

3 Agenda Introduction to IDS –Some popular IDSs Problems with IDSs Normalizer IP Fragmentation & fragrouter “Squealing” in SNORT

4 Introduction to IDS Intrusion attempt or a threat: potential possibility of a deliberate unauthorized attempt to access/manipulate information, or render a system unreliable or unusable. Types of IDS –Host-based –Network IDS Example IDSs –ISS RealSecure, WheelGroup NetRanger, Network Flight Recorder, Snort

5 Principles of IDSs Common Intrusion Detection Framework –Event generators –Analysis Engines –Storage Mechanisms –Countermeasures

6 Principles of IDSs Common Intrusion Detection Framework

7 Principles of IDSs Passive monitoring Signature Analysis Need for reliable ID –accuracy: false positives and false negatives –“fail-open”: if an attacker disables the IDS, entire network is still accessible –forensic value of information

8 Fundamental problems of IDSs Deployed on a different box Could be on a different network segment Protocol implementation ambiguities –different protocol stacks have different behavior NIDS could see a different stream of packets than host

9 Fundamental problems of IDSs False positives –incorrectly identify an intrusion when none has occurred False negatives –incorrectly fail to identify an intrusion that has actually occurred

10 Attacks on IDSs Insertion –IDS thinks packets are valid; end system rejects these Evasion –end system accepts packets that IDS rejects Denial of Service –resource exhaustion Examples

11 Popular problems/attacks TCP/IP Options fields TCB Creation/Teardown TCP Stream Reassembly IP Fragmentation –overlapping fragments

12 Specific attacks Invalid MAC addresses? Invalid headers –Permissive in receiving, frugal in sending? –Bad IP checksum will be dropped? –IP options IP TTL ambiguity –Packer received or not?

13 Specific attacks Packet size –Packet too large for downstream link? Source-routed packets –Will destination reject such packets? Fragment or TCP handshake time-out –Will other parts of fragment/TCB still be at destination? Overlapping segments –Rewrite old data or not?

14 Specific attacks Weird TCP options –Destination might be configured to drop Old TCP timestamps (PAWS) –Destination might be configured to drop TCP RSTs with weird sequence numbers –Is connection reset? Addition of interpreted characters (“^H”) –How does OS interpret?

15 IP Fragmentation Allows IP traffic over different network media with different max packet sizes IP stacks do not handle reassembly well –can lead to DOS (teardrop, jolt2) Fragrouter –NIDS testing tool –accepts IP packets routed from another system –fragments these packets according to various schemes

16 Popular problems/attacks Resource Exhaustion –CPU, Memory, Network Bandwidth –CPU: Data-structure attack via fragments –Memory: Space attack via fragments –Network: Targeted DoS to disrupt TCP reassembly Abusing reactive IDS –attack to generate false positives –IDS shuts down valid connections, blocks valid traffic etc. –Results in IDS triggering a DOS

17 IP Fragmentation Allows IP traffic over different network media with different max packet sizes IP stacks do not handle reassembly well –can lead to DOS (teardrop, jolt2) Fragrouter –NIDS testing tool –accepts IP packets routed from another system –fragments these packets according to various schemes

18 Popular problems/attacks Resource Exhaustion –CPU, Memory, Network Bandwidth Abusing reactive IDS –attack to generate false positives –IDS shuts down valid connections, blocks valid traffic etc. –Results in IDS triggering a DOS

19 Methodology Black-box testing PHF attack –exploits a CGI script - phf to gain access to web servers Software Used –CASL –FreeBSD 2.2 –netcat –tcpdump

20 Results

21 Discussion Questions?

22 Network Intrusion Detection: Traffic Normalization & End-End Protocol Semantics "Transport and Application Protocol Scrubbing"

23 Recap of previous paper –IDSs are vulnerable to attacks –fundamental problems: IDS sees different streams than target host protocol implementation ambiguities

24 Introduction Paper introduces concept of “normalizer” Approach & implementation Performance

25 Normalizer

26 Sits directly in path of traffic into a site Patch up or normalize the packet stream Result: same traffic and unambiguous behavior for NIDS and host Differs from a firewall Other approaches –host-based IDS, details of intranet, bifurcating analysis

27 Normalization Tradeoffs Protection –not meant to but can act as a firewall Need to preserve End-End Semantics Impacts end-end performance Stateholding attack –create excess state than Normalizer can handle Inbound vs Outbound traffic

28 Other Considerations Cold Start –is a “real world” requirement –what happens to existing connections? –Initiate state for connections from trusted network Attacking the normalizer itself

29 Systematic Approach Walk through packet headers of each protocol Identify what is the “correct” normalization

30 Example Attack IP Identifier and stealth port scans

31 Normalization for this Solution for patsy –Scramble ids of incoming and outgoing packets –Breaks diagnostic protocols Solution for victim –Reliable RSTs –Normalizer sends “keep-alive” packet to host to determine if connection was actually closed

32 Implementation Code in C - uses libpcap user-level application attention to completeness, correctness & performance Evaluated using trace-driven approach –NetDuDE

33 Performance Platform: 1.1GHz AMD Athlon, FreeBSD 4.2, 133 MHz SDRAM a normalizer implemented in kernel mode (as a click module) could forward traffic at line-speed on bi-directional 100 Mbps link

34 Discussion Questions?

35 An Achilles’ Heel to Signature-Based IDS: Squealing False Positives in Snort (‘01)

36 Paper documents attacking Snort using false positives Snort : open-source, free, lightweight NIDS Squealing –noise made by pigs during periods of distemperment Boy cried wolf too many times –additionally, boy may not recognize the wolf when it actually appears! Introduction

37 Attacking Snort Limitation is not in correctly identifying attacks, but in the ability to suppress false positives PCP –Tool for generating false positives –packet writing and argument parsing

38 Squeal Attack types Noise-masked attacks –diverts attention from a covert attack Attack misdirection –source of attack is spoofed Evidence Reputability Target Conditioning Statistical Poisoning –when training an IDS

39 How easy is it? Using SOCK_RAW LIBNET, Nemesis Script-driven tools available (snot, stick, trichinosis)

40 Proposed Solutions Adaption –changing the signature-matching algorithms rapidly State awareness –make IDS have a “context” which checking packets

41 Conclusions IDSs have been around for more than a decade Several fundamental problems identified in IDS IDSs themselves are vulnerable to attacks –and fail-open Upcoming paper groups

42 References online.securityfocus.com/ids www.snort.org www.raid-symposium.org

Download ppt "Intrusion Detection Issues Presented by Deepa Srinivasan CSE581, Winter 2002, OGI."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004.

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Examining IP Header Fields

Examining IP Header Fields
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Similar presentations

Ads by Google