90 likes | 234 Views
Intrusion Detection. CS-480b Dick Steflik. Hacking Attempts. IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan promising ports for openness (80, 21, …) Service Evaluation determine the OS Target Selection
E N D
Intrusion Detection CS-480b Dick Steflik
Hacking Attempts • IP Address Scans • scan the range of addresses looking for hosts (ping scan) • Port Scans • scan promising ports for openness (80, 21, …) • Service Evaluation • determine the OS • Target Selection • pick the most vulnerable host, most running services... • Vulnerability Probes • Automated password attacks • FTP, HTTP, NetBIOS, VNC PCAnywhere…. • Application specific attacks • try known vulnerabilities on present services
Intrusion Detection Systems (IDS) • Inspection Based (Signature Based) • Uses a database of known attack signatures • observe the activity on a host or network and make judgements about whether or not an intrusion is in progress or has taken place • look for known indicators • ICMP Scans, port scans, connection attempts • CPU, RAM I/O Utilization • File system activity, modification of system files, permission modifications • Anomaly Based • baseline the normal traffic and then look for things that are out of the norm • Variations of IDS • Rule based • Statistical • Hybrid
Decoys/Honeypots • Purposely place an incorrectly configured or unprotected system where it is easily found so that a hacker will try to use it as an attack vector. • All accesses will set off alarms that indicate an intrusion is in progress
IDS Systems • Tripwire • Windows or UNIX • alarms on modification to system files • c:\ • c:\WINNT • c:\WINNT\system • c:\WINNT\system32 • CyberCop • Network Assoc. • suite of 4 ID tools • Sun/Symantec • iForce IDS Appliance • Sun/Solaris and Symantec’s ManHunt IDS • ID Analysis at 2 Gbits /sec • ManHunt uses distributed network sensors and a variety of methods to identify threats, including protocol-anomaly detection, signature detection, traffic-state profiling and statistical flow analysis.
SNORT • Open Source ( http://www.snort.org ) • Uses: • Packet Sniffer • produces a tcpdump formatted output • Packet Logger • can log packets so that after-the-fact data mining tools can be used for analysis • Traffic Debugging and Analysis • Can design a ruleset that recognizes certain traffic patterns • Can do both anomaly based and Inspection based detection • SPADE (Silicon Defense) – a SNORT preprocessor that logs anomalies for later analysis
ActiveScout • ForeScout Technologies ( http://www.forescout.com ) • Intrusion Prevention Tool • Method: • Watches for hacker reconnaissance (port scans, NetBios Scans, ect.) • Return bogus info to hacker • If hackers attempts to break in with the bogus data Active Scout sets off alarms or block any further traffic for the intruder • Downside: only works in conjunction with Check Point’s Firewall-1 • Requires little administration and eliminates many false positives • Cost w/T1 port is about $10K
Manhunt • Symantec Corp. ( http://www.symantec.com ) • Advanced Threat Management System • Signature based hybrid detection • protocol anomaly detection • traffic rate monitoring • protocol state tracking • IP packet reassembly to provide a level of detection superior to other, signature-based systems. These detection capabilities can identify threats in real time, eve • Real-time Analysis and Correlation • collects information from security devices throughout the network to spot trends • Automatic Policy Based Responses • Scaleable Across Geographic Areas of an Enterprise • one Manhunt can be configured across 10 network segments
Watson Researchers • Kanad Ghose • Doug Summerville • Viktor Skormann • Mark Fowler