1 / 32

Intrusion Detection

Understand the concepts and principles of intrusion detection, including basic detection characteristics, attack tools, and intrusion detection systems. Explore anomaly, misuse, and specification modeling for detecting intrusions and the architecture of Intrusion Detection Systems.

atorres
Download Presentation

Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection

  2. What is Intrusion Literal meaning: The definition of an intrusion is an unwelcome interruption or a situation where somewhere private has an unwelcome visit or addition. Computer security: To compromise a computer system by breaking the security of such a system or causing it to enter into an insecure state. 

  3. Principles Characteristics of Computer system that are not under attack • The actions of users and processes generally conform to a statistically predictable pattern. A user who does only word processing when using the computer is unlikely to perform a system maintenance function. • The actions of users and processes do not include sequences of commands to subvert (threaten) security policy of the system. In theory, any such sequence is excluded; in practice, only sequences known to subvert the system can be detected. • The actions of processes conform to a set of specifications describing actions that the processes are allowed to do (or not allowed to do).

  4. Principles Computer under attack (intrusion) fail to meet at least one of the previous characteristics. Basic Detection: Characteristics listed above guide the detection of intrusion.

  5. Attack tools and intrusion detection system • An attack tool is automated script designed to violate a security policy • An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces electronic reports to a management station. • How IDS is different to firewall?

  6. Goal of IDS • Detects Wide variety of intrusions • Inside / outside, virus, worms, Trojan horse, keylogger • Detects intrusions in a timely fashion • Timely – not necessarily in real time. • Real time intrusion detection raise the issue of responsiveness. • Delay on intrusion detection probably useless • Present the analysis in a simple, easy-to-understand format • Be accurate • False Positive - reports attracts but no attack • False Negative – fail to report attack when no attack

  7. Model • Different models • Can be adaptive or static • Adaptive: That alter their behavior on the basic of system states or condition • Static: Initialized from collected data and do not change • Other basic • Anomaly Modeling • Misuse Modeling • Specification Modeling

  8. Anomaly Modeling • Analyzes a set of characteristics of the system and compares their behavior with a set of expected values. • Use the assumption that unexpected behavior is evidence of an intrusion • Eg: • Microsoft windows lock user out after some number n of fail login attempts • ATM blocks user account with n number of attempts

  9. Misuse Modeling • Misuse detection determines whether a sequence of instructions being executed is known to violate the site security policy being executed. If so, it reports a potential intrusion, • Requires a knowledge of system vulnerabilities • we define abnormal system behavior at first, and then define any other behavior, as normal behavior. •  In other words, anything we don't know is normal.

  10. Specification Modeling • Specification-based detection determines whether or not a sequence of instructions violates a specification of how a program, or system, should execute. If so, it reports a potential intrusion. • How different than previous two model • Anomaly detection : Art of looking for unusual states • Misuse detection: Art of looking for states known to be bad • Specification detection: it looks state known not to be good. When system enters such state it reports possible intrusion

  11. Architecture • IDS is like automated auditing mechanism • Consists three parts • Agents: Corresponds to logger. It acquires information from a target (such as computer system) • Director: Corresponds to analyzer. It analyze the data as required. Then pass information to the notifier • Notifier: determines whether and how to notify the necessary entity

  12. Architecture

  13. Agent • Obtain information from data source • Source may be log file, another process or a network • Acquired information is sent to director • Sometime preprocessing required to convert into specific format • Example: Agent will sent time and location of fail login attempt to director. Director will wait for certain number of fail login attempt and may disable account

  14. Agent: types • Host-based information gathering • Usually use system and application logs to obtain record of events and analyze them to determine what to pass to the director • Log may be security related or other log • Network based information gathering • Use variety of device and software to monitor network traffic • It can detect network-oriented attack like denial of service, DNS poisioning • May use network sniffing to read the network traffic

  15. Agent: Types (2) • Combined sources • Aggregate of information needed • Collected both from host and network

  16. Director • Analyze the data from the agent as required • Director itself reduces the incoming log entries to eliminate unnecessary and redundant records • Then use analysis engine to determine if an attack is underway • May use any of, or a mixture of, several technique to perform its analysis • Functioning of director is crucial to effectiveness of intrusion detection system  May use dedicated system

  17. Notifier • Notifier accepts information from the director and takes appropriate action • Notify user if necessary • May use graphical interface • Graph showing spread of worms • Red / Green signal to show under attack or not

  18. Organization of IDS • Can be organized in several ways • Three paradigm used along this slide to organize IDS • 1st examine network traffic • 2nd explore how to combine network and host sources • 3rd distribute the director among multiple system

  19. Monitoring Network Traffic for Intrusion: NSM • Develops a profile of expected usage of network and compares current usage with that profile • Runs of local area network • Measures network utilization and other characteristics • It reports anomalous behavior over network • Eg: NSM (Network Security Monitor) • Monitors the source, destination and service of network traffic • Provides graphical user display to enable the system security officer to see at a glance of the network

  20. Combining Host and Network Monitoring: DIDS • Combines the abilities of NSM with intrusion detection monitoring of individual host • Motivation: neither network-based nor host-based is sufficient • Eg: Intruder attempting to log on system with out password wont be detected be network based monitoring • Intruder using network to use resources wont be detected by host-based monitoring • Distributed Intrusion Detection System (DIDS), created in 1991 in University of California is the example • Used network identification number (NID) to identify user

  21. Autonomous Agents: AAFID • Previous two model has single point to failure i.e. director • Solution: Partition the IDS into multiple components that function independently of one another and yet communicate to correlate information • Eg: Autonomous agents for intrusion detection (AAFID) • All modern IDS use this approach

  22. Intrusion Response • Once an intrusion is detected, how can the system protected? Intrusion Response deals with this problem • Its goal is to handle the attempted attack in such a way that the damage is minimized • Responded in two ways • Incident Prevention • Intrusion Handling

  23. Incident Prevention • Intrusion attempts will be detected and stopped before they succeed. • Involves closely monitoring the system and taking action to defeat the attack • Eg: • Lock the system after n number of unsuccessful login attempt • Jailing of attacker • Allows attacker to think that their attack have succeeded, but places them in a confined area in which their behavior can be controlled and even manipulated

  24. Intrusion Handling • Security policy of site is violated after intrusion • Handling the intrusion means restoring the system to comply with the site security policy AND • Taking action against the attacker that the policy specifies • Consists six phases

  25. Six phases of intrusion handling • Preparation for an attack • This step occurs before any attack are detected. It establishes procedures and mechanism for detection and responding to attacks. 2. Identification of an attack • This triggers the remaining phase 3. Containment (Confinement) of attack [Containment = control] • This step limits the damage as much as possible

  26. Six phases of intrusion of detection 4. Eradication of the attack • This step stop the attack and block further similar attacks 5. Recovery from the attack • This step restores the system to a secure state (with respect to site security policy) 6. Follow-up the attack

  27. Containment Phase Literal meaning: Control, Suppression • Means limiting the access of the attacker to system resources • The domain of the attacker is reduced as much as possible • Two approaches • Passively Monitoring • Constraining Access to prevent further damage [Damage: any action that causes system to deviate from secure state]

  28. Containment phase (2) • Passive monitoring • Simply records the attackers action for later use • Do not interfere with the attacker • It reveals information about attack, possibly, the goals of attackers • Constraining access to prevent further damage • Steps are taken to constrain the action of the attacker • Protection domain of attacker is reduced

  29. Eradication Phase • Means stopping attack • Usual approach is to deny access to system completely or to terminate the processes involved in the attack (Such as terminating the network connection) • Ensures that the attack does not immediately resume • Common method for implementation blocking is to place wrapper around suspected target.

  30. Follow-Up Phase • In this phase system take some action external to the system against attacker • Involves taking action against the attacker, identifying problem in the handling of the incident, and recording lesson learned • Pursue some form of legal action • Counterattacking – Two forms • Legal mechanism: such as filing complaints, requires evidence • Technical attack: damage the attacker seriously, discourage future attack

  31. Consequence to be considered during counter attack • May harm the innocent party. Attacker may be the imposter • May have side effect. • The counterattack is antithetical to the shared use of a network (directly opposed or contrasted; mutually incompatible.) • The counter attack may be legally actionable Counterattack conclusion: Exceptional circumstances, may be appropriate. In general it should be avoided

More Related