410 likes | 423 Views
Learn about principles, models, and architecture of intrusion detection systems (IDS). Explore topics such as false positives, IDS deployment, active response (IPS), and evasion techniques.
E N D
CIT 380: Securing Computer Systems Network Monitoring CIT 380: Securing Computer Systems
Topics • Principles • Models of Intrusion Detection • False Positives • Architecture of an IDS • IDS Deployment • Active Response (IPS) • Host-based IDS and IPS • IDS Evasion Techniques CIT 380: Securing Computer Systems
Principles of Intrusion Detection Characteristics of systems not under attack • User, process actions conform to statistically predictable pattern. • User, process actions do not include sequences of actions that subvert the security policy. • Process actions correspond to a set of specifications describing what the processes are allowed to do. Systems under attack do not meet at least one. CIT 380: Securing Computer Systems
Example Goal: insert a back door into a system • Intruder will modify system configuration file or program. • Requires privilege; attacker enters system as an unprivileged user and must acquire privilege. • Nonprivileged user may not normally acquire privilege (violates #1). • Attacker may break in using sequence of commands that violate security policy (violates #2). • Attacker may cause program to act in ways that violate program’s specification (violates #3). CIT 380: Securing Computer Systems
Goals of IDS • Detect wide variety of intrusions • Previously known and unknown attacks. • Need to adapt to new attacks or changes in behavior. • Detect intrusions in timely fashion • May need to be be real-time, especially when system responds to intrusion. • Problem: analyzing commands may impact response time of system. • May suffice to report intrusion occurred a few minutes or hours ago. CIT 380: Securing Computer Systems
Goals of IDS • Present analysis in easy-to-understand format. • Ideally a binary indicator. • Usually more complex, allowing analyst to examine suspected attack. • User interface critical, especially when monitoring many systems . • Be accurate • Minimize false positives, false negatives. • Minimize time spent verifying attacks, looking for them. CIT 380: Securing Computer Systems
Deep Packet Inspection • IDS requires, some firewalls do too. • DPI = Analysis of Application Layer data • Protocol Standard Compliance • Is port 53 traffic DNS or a covert shell session? • Is port 80 traffic HTTP or tunneled IM or P2P? • Protocol Anomaly Detection • Traffic is valid HTTP. • But suspicious URL contains directory traversal. CIT 380: Securing Computer Systems
Models of Intrusion Detection • Anomaly detection • What is usual, is known. • What is unusual, is bad. • Misuse detection • What is bad is known. • Look for what is bad, hope it doesn’t change. CIT 380: Securing Computer Systems
Anomaly Detection Analyzes a set of characteristics of system, and compares their values with expected values; report when computed statistics do not match expected statistics. • Threshold metrics • Sequences of valid actions • Statistical measures CIT 380: Securing Computer Systems
Threshold Metrics • Counts number of events that occur • Between m and n events (inclusive) expected • If number falls outside this range, anomalous. • Example • Windows: lock user out after k failed sequential login attempts. Range is (0, k–1). • k or more failed logins deemed anomalous • Threshold depends on typing skill. CIT 380: Securing Computer Systems
Sequences of System Calls • Define normal behavior in terms of sequences of system calls. • Example normal trace: open read write open write close • Doesn’t normally run other programs. • Attack trace: open read write open exec write close CIT 380: Securing Computer Systems
Bayesian Filtering Calculate • Probability that a word appears in spam. using training data • Set of spam e-mail. • Set of non-spam e-mail. For new e-mail message • Combine probabilities of each word to calculate probability that message is spam. • If probability > 0.9, then message is spam. • Tune cutoff to adjust false positive/negative rate. CIT 380: Securing Computer Systems
Misuse Detection • Determines whether a sequence of instructions being executed is known to violate the site security policy. • Descriptions of known or potential exploits grouped into rule sets. • IDS matches data against rule sets; on match, potential attack found. • Cannot detect new attacks: • No rules to cover them. CIT 380: Securing Computer Systems
Example: snort Network Intrusion Detection System • Sniffs packets off wire. • Checks packets for matches against rule sets. • Logs detected signs of misuse. • Alerts adminstrator when misuse detected. CIT 380: Securing Computer Systems
Snort Rules • Rule Header • Action: pass, log, alert • Network Protocol • Source Address (Host or Network) + Port • Destination Address (Host or Network) + Port • Rule Body • Content: packet ASCII or binary content • TCP/IP flags and options to match • Message to log, indicating nature of misuse detected CIT 380: Securing Computer Systems
Snort Rule Example Example: rule for ssh shell code exploit alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; rev:3;) CIT 380: Securing Computer Systems
Comparison and Contrast • Misuse detection: if all policy rules known, easy to construct rulesets to detect violations. • Usual case is that much of policy is unspecified, so rulesets describe attacks, and are not complete. • Anomaly detection: detects unusual events, but these are not necessarily security problems. CIT 380: Securing Computer Systems
False Positives • A new test for a disease that is 95% accurate • Assume 1 in 1000 people have disease. • Should everyone get the test? • Sample size: 1000 • Expect 0.95 + (999 * 0.05) positives • Ergo, 50 people will be told they have disease • If you test positive, only 2% chance you have it. CIT 380: Securing Computer Systems
IDS Architecture An IDS is essentially a sophisticated audit system • Agentgathers data for analysis. • Director analyzes data obtained from the agents according to its internal rules. • Notifier acts on director results. • May simply notify security officer. • May reconfigure agents, director to alter collection, analysis methods. • May activate response mechanism. CIT 380: Securing Computer Systems
Agents Obtain information and sends to director. Preprocessing • Simplifying and reformatting of data. Push vs Pull • Agents may push data to Director, or • Director may pull data from Agents. CIT 380: Securing Computer Systems
Host-Based Agents • Obtain information from logs • May use many logs as sources. • May be security-related or not. • May use virtual logs if agent is part of the kernel. • Agent generates its information • Analyzes state of system. • Treats results of analysis as log data. CIT 380: Securing Computer Systems
Network-Based Agents • Sniff traffic from network. • Use hubs, SPAN ports, or taps to see traffic. • Need agents on all switches to see entire network. • Agent needs same view of traffic as destination • TTL tricks, fragmentation may obscure this. • End-to-end encryption defeats content monitoring • Not traffic analysis, though. CIT 380: Securing Computer Systems
Aggregation of Information Agents produce information at multiple layers of abstraction. • Application-monitoring agents provide one view of an event. • System-monitoring agents provide a different view of an event. • Network-monitoring agents provide yet another view (involving many packets) of an event. CIT 380: Securing Computer Systems
Director • Reduces information from agents • Eliminates unnecessary, redundant records. • Analyzes information to detect attacks • Analysis engine can use any of the modelling techniques. • Usually run on separate system • Does not impact performance of monitored systems. • Rules, profiles not available to ordinary users. CIT 380: Securing Computer Systems
Example • Jane logs in to perform system maintenance during the day. • She logs in at night to write reports. • One night she begins recompiling the kernel. • Agent #1 reports logins and logouts. • Agent #2 reports commands executed. • Neither agent spots discrepancy. • Director correlates log, spots it at once. CIT 380: Securing Computer Systems
Adaptive Directors • Modify profiles, rulesets to adapt their analysis to changes in system • Usually use machine learning or planning to determine how to do this. • Example: use neural nets to analyze logs • Network adapted to users’ behavior over time. • Used learning techniques to improve classification of events as anomalous. • Reduced number of false alarms. CIT 380: Securing Computer Systems
Notifier • Accepts information from director • Takes appropriate action • Notify system security officer • Respond to attack • Often GUIs • Use visualization to convey information. CIT 380: Securing Computer Systems
Example Architecture: snort CIT 380: Securing Computer Systems
IDS Deployment IDS deployment should reflect your threat model. Major classes of attackers: • External attackers intruding from Internet. • Internal attackers intruding from your LANs. Where should you place IDS systems? • Perimeter (outside firewall) • DMZ • Intranet • Wireless CIT 380: Securing Computer Systems
IDS Deployment CIT 380: Securing Computer Systems
Sguil NSM Console CIT 380: Securing Computer Systems
Intrusion Prevention Systems • What else can you do with IDS alerts? • Identify attack before it completes. • Prevent it from completing. • How to prevent attacks? • Directly: IPS drops attack packets. • Indirectly: IPS modifies firewall rules. • Is IPS a good idea? • How do you deal with false positives? CIT 380: Securing Computer Systems
IPS Deployment Types Inline Intranet IPS Non-Inline IPS Intranet CIT 380: Securing Computer Systems
Active Responses by Network Layer • Data Link: Shut down a switch port. Only useful for local intrusions. Rate limit switch ports. • Network: Block a particular IP address. • Inline: can perform blocking itself. • Non-inline: send request to firewall. • Transport: Send TCP RST or ICMP messages to sender and target to tear down TCP sessions. • Application: Inline IPS can modify application data to be harmless: /bin/sh -> /ben/sh CIT 380: Securing Computer Systems
Host IDS and IPS • Anti-virus and anti-spyware • AVG anti-virus, SpyBot S&D • Log monitors • swatch, logwatch • Integrity checkers • tripwire, osiris, samhain • Monitor file checksums, etc. • Application shims • mod_security CIT 380: Securing Computer Systems
Evading IDS and IPS Alter appearance to prevent sig match • URL encode parameters to avoid match. • Use ‘ or 783>412-- for SQL injection. Alter context • Change TTL so IDS sees different packets than target hosts receives. • Fragment packets so that IDS and target host reassemble the packets differently. CIT 380: Securing Computer Systems
Fragment Evasion Techniques Use fragments • Older IDS cannot handle reassembly. Flood of fragments • DoS via heavy use of CPU/RAM on IDS. Tiny fragment • Break attack into multiple fragments, none of which match signature. • ex: frag 1:“cat /etc”, frag 2: “/shadow” Overlapping fragments • Offset of later fragments overwrites earlier fragments. • ex: frag 1: “cat /etc/fred”, frag 2: offset=10, “shadow” • Different OSes deal differently with overlapping. CIT 380: Securing Computer Systems
Web Evasion Techniques URL encoding • GET /%63%67%69%2d%62%69%6e/bad.cgi /./ directory insertion • GET /./cgi-bin/./bad.cgi Long directory insertion • GET /junklongdirectorypathstuffhereuseless/../cgi-bin/bad.cgi • IDS may only read first part of URL for speed. Tab separation • GET<tab>/cgi-bin/bad.cgi • Tabs usually work on servers, but may not be in sig. Case sensitivity • GET /CGI-BIN/bad.cgi • Windows filenames are case insensitive, but signature may not be. CIT 380: Securing Computer Systems
Countering Evasion • Keep IDS/IPS signatures up to date. • On daily or weekly basis. • Use both host and network IDS/IPS. • Host-based harder to evade as runs on host. • Fragment attacks can’t evade host IDS. • Network IDS still useful as overall monitor. • Like any alarm, IDS/IPS has • False positives • False negatives CIT 380: Securing Computer Systems
Key Points • Models of IDS: • Anomaly detection: unexpected events. • Misuse detection: violations of policy. • IDS Architecture: • Agents. • Director. • Notifiers. • Types of IDS • Host: agent on host checks files, procs to detect attacks. • Network: sniffs and analyzes packets to detect intrusions. • IDS/IPS Evasion • Alter appearance to avoid signature match. • Alter context to so IDS interprets differently than host. CIT 380: Securing Computer Systems
References • Richard Bejtlich, The Tao of Network Security Monitoring, Addison-Wesley, 2004. • Matt Bishop, Computer Security: Art and Science, Addison-Wesley, 2003. • Brian Caswell, et. al., Snort 2.0 Intrusion Detection, Snygress, 2003. • William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003. • The Honeynet Project, Know Your Enemy, 2nd edition, Addison-Wesley, 2004. • Richard A. Kemmerer and Giovanni Vigna, “Intrusion Detection: A Brief History and Overview,” IEEE Security & Privacy, v1 n1, Apr 2002, pp 27-30. • Steven Northcutt and Julie Novak, Network Intrusion Detection, 3rd edition, New Riders, 2002. • Michael Rash et. al., Intrusion Prevention and Active Response, Syngress, 2005. • Rafiq Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID, Prentice Hall, 2003. • Ed Skoudis, Counter Hack Reloaded 2/e, Prentice Hall, 2006. • Ed Skoudis and Lenny Zeltser, Malware: Fighting Malicious Code, Prentice Hall, 2003. CIT 380: Securing Computer Systems