1 / 20

INT RUSION DETECTION

INT RUSION DETECTION. BCIS 4630 Fundamentals of IT Security. Dr. Andy Wu. Intrusion Detection. An intrusion is any use or attempted use of a system that exceeds authentication limits. Intrusions are similar to incidents.

cheung
Download Presentation

INT RUSION DETECTION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INTRUSION DETECTION BCIS 4630 Fundamentals of IT Security Dr. Andy Wu

  2. Intrusion Detection • An intrusion is any use or attempted use of a system that exceeds authentication limits. • Intrusions are similar to incidents. • An incident does not necessarily involve an active system or network device, an intrusion does. • An intrusion detection system (IDS) is software/hardware that monitors activity on the system or network. • And delivers an alert if it notices suspicious activity.

  3. IDS Architecture

  4. Snort • Avery widely used, open-source intrusion detection application. • Sniffs traffic • Snort was first developed as a sniffer. • “Rules” define the patterns of packets used for malicious attacks. • Compares captured packets with patterns defined in rules. • Can raise an alert if a packet is found to match one of the rules. • Also writes to logs.

  5. Snort • Uses a configuration file (snort.conf by default) to define home and external networks and other settings. • Snort is a command line program. • A number of applications (mostly open source) have been developed to work with Snort for various purposes – GUI front ends, alert database management, advanced analyses, etc. • Most of them are *nix based. • IDS Center is one of the very few Windows front end.

  6. Snort Configuration • Behaviors of Snort is controlled by a configuration file (the –c command line switch designates the one actually used) that is loaded when Snort is started. In this file, we can define: • What constitute external networks (the EXTERNAL_NET variable) • What is considered the internal network (the HOME_NET variable) • Where to find rules files if Snort is instructed to use them (the RULE_PATH variable)

  7. Snort Rules • alert tcp any any -> 10.1.99.0/24 111 (content:"|00 01 86 a5| ";msg:"mountd access";) • alert specifies the action to take • tcp specifies the protocol • any any specifies the source network and port • 10.1.99.0/24 specifies the destination network • 111 specifies the port • content specifies the value of a payload • msg specifies the message to send

  8. Snort Rules • If a packet • comes from a network as defined by the EXTERNAL_NET variable, regardless of the source port (any), • goes to a host in the “home” network as defined by the HOME_NET variable, regardless of the destination port (any), • and the F, P, and U bits are on (12 meaning if we want to detect a SYN packet regardless of what are in the 2 reserved bits) • Then raise an alert with the message “Xmas Scan”.

  9. Snort Output • Snort can be configured to write to various formats. • It can also log to Windows events when the –E switch is used.

  10. False Responses • There is no way for an IDS to know the true intent behind an activity and determine whether or not it is benign or hostile. • Thus, the IDS can react only as it has been programmed. • False positive – An IDS matches a pattern and generates an alarm for benign traffic. • False negative – Hostile activity does not match an IDS signature and, therefore, goes undetected.

  11. Main Categories of IDSs • Host-Based IDS (HIDS) • Concerned only with activity on an individual system and usually has no visibility into the activity on the network or systems around it. • Network-Based IDS (NIDS) • Has visibility only into the traffic crossing the network link it is monitoring and typically has no idea of what is happening on individual systems. • Snort is an NIDS.

  12. Host-Based IDS • Examines OS log files, audit trails, and network traffic coming in to or leaving a specific host. • Operates in real time, looking for activity as it occurs. • Operates in batch mode, looking for activity on a periodic basis. • They may be self-contained, but many of the newer commercial products have been designed to report to and be managed by a central system. • Host-based systems use local system resources to operate.

  13. HIDS Focus - Log Files • A HIDS searches the log files or audit trails from the local OS for hostile actions or misuse activities, e.g., • Logins at odd hours • Login authentication failures • Adding new user accounts • Modification or access of critical system files • Modification or removal of binary files (executables) • Starting or stopping processes • Privilege escalation • Using certain programs

  14. HIDS Pros and Cons • The advantages of host-based IDSs include: • Operating system-specific and more detailed. • Reduced false positive rates. • Examination of data after decryption. • Application specific. • Can determine an alarm’s impact on the protected system. • Reduces the number of alarms generated. • Before deployment, weigh the disadvantages of this technology: • One HIDS per system watched.  • High cost of ownership and maintenance.  • Uses local system resources.  • Focused view; Cannot relate to activity around it.  • A locally logged IDS may be compromised or disabled.

  15. Network-Based IDS • A network IDS (NIDS) examines network traffic as it passes by. • Bits and bytes traveling through cables interconnecting the systems. • It must be able to analyze traffic by protocol, type, amount, source, destination, content, and traffic already seen. • The analysis must happen quickly. • The IDS must be able to handle traffic at whatever speed the network operates to be effective.

  16. NIDS Focus – Network Traffic • An NIDS analyzes traffic patterns to detect activities that represent hostile actions or misuse. • Denial-of-Service attacks • Port scans or sweeps • Malicious content in the data payload of a packet or packets • Vulnerability scanning • Trojans, viruses, or worms • Tunneling • Brute-force attacks

  17. NIDS Pros and Cons • NIDS advantages • Takes fewer systems to provide IDS coverage.  • Lower deployment, maintenance, and upgrade costs.  • Has visibility into all network traffic and can correlate attacks among multiple systems. • NIDS disadvantages • Ineffective when traffic is encrypted. • Cannot see traffic that does not cross it.  • Must be able to handle high volumes of traffic. • It does not know about activity on the hosts themselves.

  18. Misuse (Signature) Detection Model • The IDS looks for suspicious activity or activity that violates specific policies and then reacts as it has been programmed. • This is the more efficient model. • Does not need to learn what “normal” behavior is. • Generates an alarm whenever a pattern is successfully matched. • The greatest weakness of a misuse model is its reliance on a predefined signature base. • Any activity that the misuse-based IDS does not have a signature for will go undetected.

  19. Anomaly Detection Model • The intrusion detection system must know what “normal” behavior on the host or network being protected really is. • Once the “normal” behavior baseline is established, the IDS can then identify deviations from the norm, which are further scrutinized to determine if that activity is malicious. • Building the profile of normal activity is usually done by the IDS. • This is done with some input from security administrators, and can take days or months.

  20. Anomaly Detection Model • The IDS must be flexible enough to account for things such as new systems, new users, and movement of information resources, while being sensitive enough to detect abnormal traffic. • An anomaly-based system is not restricted to a specific signature set and is far more likely to identify a new exploit or attack tool that would go unnoticed by a traditional IDS. • Most anomaly-based systems suffer from high false positives, especially during the “break-in” period while it is learning the network.

More Related