Download presentation
Presentation is loading. Please wait.
Published byMelinda Carroll Modified over 9 years ago
1
Detection Intrusion, Malware, and Fraud
2
2 Intrusion Detection Systems Development of IDSs is to address increasing numbers of network attacks An IDS looks for anomalies that differ from an established baseline IDSs categorized as Signature-based Anomaly-based
3
3 What is IDS? The ideal Intrusion Detection System will notify the system/network manager of a successful attack in progress: With 100% accuracy Promptly (in under a minute) With complete diagnosis of the attack With recommendations on how to block it …Too bad it doesn’t exist!!
4
4 Objectives: 100% Accuracy and 0% False Positives A False Positive is when a system raises an incorrect alert “The boy who cried ‘wolf!’” syndrome 0% false positives is the goal It’s easy to achieve this: simply detect nothing 0% false negatives is another goal: don’t let an attack pass undetected
5
5 Objectives: Prompt Notification To be maximally accurate the system may need to “sit on” information for a while until all the details come in e.g.: Slow-scan attacks may not be detected for hours This has important implications for how “real-time” IDS can be! IDS should notify user as to detection lag
6
6 Objectives: Prompt Notification (cont) Notification channel must be protected What if attacker is able to block notification mechanism? An IDS that uses E-mail to notify you is going to have problems notifying you that your E-mail server is under a denial of service attack!
7
7 Objectives: Diagnosis Ideally, an IDS will categorize/identify the attack Few network managers have the time to know intimately how many network attacks are performed
8
8 Objectives: Recommendation The ultimate IDS would not only identify an attack, it would: Assess the target’s vulnerability If the target is vulnerable it would notify the administrator If the vulnerability has a known “fix” it would include directions for applying the fix This requires huge, detailed knowledge
9
9 IDS: Pros A reasonably effective IDS can identify Internal hacking External hacking attempts May act as a backstop if a firewall or other security measures fail
10
10 IDS: Cons IDS’ don’t typically act to prevent or block attacks They don’t replace firewalls, routers, etc. If the IDS detects trouble on your interior network what are you going to do? By definition it is already too late
11
11 Paradigms for Deploying IDS Attack Detection Intrusion Detection
12
12 Internal Network Internet Router w/some screening Firewall DMZ Network WWW Server Desktop Attack Detection IDS detects (and counts) attacks against the Web Server and firewall IDS
13
13 Attack Detection Placing an IDS outside of the security perimeter records attack level Presumably if the perimeter is well designed the attacks should not affect it! Still useful information for management (“we have been attacked 3,201 times this month…) Prediction: The AD will generate a lot of noise and be ignored quickly
14
14 Internal Network Internet Router w/some screening Firewall DMZ Network WWW Server Desktop Intrusion Detection IDS detects hacking activity WITHIN the protected network, incoming or outgoing IDS
15
15 Intrusion Detection Placing an IDS within the perimeter will detect instances of clearly improper behavior Hacks via backdoors Hacks from staff against other sites Hacks that got through the firewall When the IDS alarm goes off, it’s a red alert
16
16 Attack vs Intrusion Detection Ideally do both Realistically, do ID first then AD The real question here is one of staffing costs to deal with alerts generated by AD systems
17
17 IDS Data Source Paradigms Host Based Network Based
18
18 Host Based IDS Collect data usually from within the operating system C2 audit logs System logs Application logs Data collected in very compact form But application / system specific
19
19 Host Based: Pro Quality of information is very high Software can “tune” what information it needs Kernel logs “know” who user is Density of information is very high Often logs contain pre-processed information
20
20 Host Based: Con Capture is often highly system specific Usually only 1, 2 or 3 platforms are supported (“you can detect intrusions on any platform you like as long as it’s Solaris or NT!”) Performance is a wild-card To unload computation from host logs are usually sent to an external processor system
21
21 Network Based IDS Collect data from the network or a hub / switch Reassemble packets Look at headers Try to determine what is happening from the contents of the network traffic User identities, etc inferred from actions
22
22 Network Based: Pro No performance impact No management impact on platforms Works across O/S’ Can derive information that host based logs might not provide (packet fragmenting, port scanning, etc.)
23
23 Network Based: Con May lose packets on flooded networks May mis-reassemble packets May not understand O/S specific application protocols (e.g.: SMB) May not understand obsolete network protocols (e.g.: anything non-IP) Does not handle encrypted data
24
24 IDS Paradigms Anomaly Detection - the AI approach Misuse Detection - simple and easy Hybrids - a bit of this and that
25
25 Anomaly Detection Goals: Analyse the network or system and infer what is normal Apply statistical or heuristic measures to subsequent events and determine if they match the model/statistic of “normal” If events are outside of a probability window of “normal” generate an alert (tuneable control of false positives)
26
26 Anomaly Detection (cont) Typical anomaly detection approaches: Neural networks - probability-based pattern recognition Statistical analysis - modelling behavior of users and looking for deviations from the norm
27
27 Anomaly Detection: Pro If it works it could conceivably catch any possible attack If it works it could conceivably catch attacks that we haven’t seen before Or close variants to previously-known attacks Best of all it won’t require constantly keeping up on hacking technique
28
28 Anomaly Detection: Con Current implementations don’t work very well Too many false positives/negatives Cannot categorize attacks very well “Something looks abnormal” Requires expertise to figure out what triggered the alert Ex: Neural nets can’t say why they trigger
29
29 Anomaly Detection: Examples Most of the research is in anomaly detection Because it’s a harder problem Because it’s a more interesting problem There are many examples, these are just a few Most are at the proof of concept stage
30
30 Misuse Detection Goals: Know what constitutes an attack Detect it
31
31 Misuse Detection (cont) Typical misuse detection approaches: “Network grep” - look for strings in network connections which might indicate an attack in progress
32
32 Misuse Detection: Pro Easy to implement Easy to deploy Easy to update Easy to understand Low false positives Fast
33
33 Misuse Detection: Con Cannot detect something previously unknown Constantly needs to be updated with new rules Easier to fool
34
34 Hybrid IDS The current crop of commercial IDS are mostly hybrids Misuse detection (signatures or simple patterns) Expert logic (network-based inference of common attacks) Statistical anomaly detection (values that are out of bounds)
35
35 Hybrid IDS (cont) At present, the hybrids’ main strength appears to be the misuse detection capability Statistical anomaly detection is useful more as backfill information in the case of something going wrong Too many false positives - many sites turn anomaly detection off
36
36 Intrusion Detection Systems (Cont.) Common IDS solutions available today: Cisco Secure IDS Enterasys™ Dragon ® Elm 3.0 GFI LANguard S.E.L.M Intrust Event Admin Snort ® Tripwire eTrust ®
37
37 Network Forensics Abuse With an IDS system anyone can: Spy on users’ e-mail Capture passwords Know what Web pages were viewed Covertly see the contents of a customer’s shopping cart
38
38 Examining Data Verifying the integrity of the data There are guidelines that can help ensure the integrity of network data: Logs Time/date stamps IDS alerts
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.