1 / 48

Intrusion Detection Systems

In the Name of Allah. Intrusion Detection Systems. Present by Ali Fanian. Outline. Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection.

derry
Download Presentation

Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. In the Name of Allah Intrusion Detection Systems Present by Ali Fanian

  2. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

  3. An intrusion can be defined as “any set of actions that attempt to compromise the: Integrity confidentiality, or availability of a resource”. What is an intrusion?

  4. Intruders • Insider: abuse by a person with authorized access to the system. • Hacker: attack the via communication links (e.g. Internet). • Malicious software (`MalWare`, Trojan horse, Virus): attack on the system by software running on it.

  5. Intrusion Examples • Virus • Buffer-overflows • 2000 Outlook Express vulnerability. • Denial of Service (DOS) • explicit attempt by attackers to prevent legitimate users of a service from using that service. • Address spoofing • a malicious user uses a fake IP address to send malicious packets to a target. • Many others

  6. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

  7. Intrusion Detection Systems • Systems that detect attacks on computer systems.

  8. Intrusion Detection Systems • Intrusion Prevention System can prevent the network fromoutside attacks. Intruder Victim Intruder IPS Internet

  9. IDS BasicFunctions • Monitoring • Collect the information from the network • Analyzing • Determine what, if any thing, is of interest • Reporting • Generate conclusions and otherwise act on analysis results

  10. Intrusion Detection Systems • Firewalls are typically placed on the network perimeter protecting against external attacks • Firewalls allow traffic only to legitimate hosts and services • Traffic to the legitimate hosts/services can have attacks • Solution? • Intrusion Detection Systems • Monitor data and behavior • Report when identify attacks

  11. Intrusion Detection Systems • Traditional IDS response tends to be passive response • Secondary investigation required because IDS is still imperfect • These days, IDS can be set up to respond to events automatically – “active response”

  12. Intrusion Detection Systems • Active response – dropping connection, reconfiguring networking devices (firewalls, routers)

  13. Intrusion Detection Systems • Alarm investigation resource would affect the delays in response in both active and passive response • If multiple alarm types involved, which alarm to investigate is an issue

  14. Intrusion Detection Systems • Passive response • potential damage cost - resulting from alarmed events not investigated immediately • low false alarm costs since alarmed events are not disrupted

  15. Intrusion Detection Systems • Active response • It could prevent attack damage because the events are terminated immediately • higher false alarm costs contingent on the performance of the IDS

  16. Audit Log Architecture The System Being Monitored Profiles IDS Audit Log Data Alerts Reports

  17. Inline Architecture The System Being Monitored Profiles IDS Sniffer Data Alerts Reports

  18. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

  19. Types of IDS Host-based Signature-based Anomaly-based Network-based

  20. Signature-based IDS • Characteristics • Uses known pattern matching to signify attack

  21. Signature-based IDS • Advantages? • Widely available • Fairly fast • Easy to implement • Easy to update • Disadvantages? • Cannot detect attacks for which it has no signature

  22. Anomaly-based IDS • Characteristics • Uses statistical model or machine learning engine to characterize normal usage behaviors • Recognizes departures from normal as potential intrusions

  23. Anomaly-based IDS • Advantages? • Can detect attempts to exploit new and unforeseen vulnerabilities • Can recognize authorized usage that falls outside the normal pattern • Disadvantages? • Generally slower, more resource intensive compared to signature-based IDS • Greater complexity, difficult to configure • Higher percentages of false alerts

  24. More Problems with Anomaly Detection • The dynamic update problem is unsolved. • You can train these systems successfully to handle static environments, but computer networks are dynamic. • If you try to retrain an existing system to deal with new events, it will usually forget its old training. You have to give it the old training data as well as the new.

  25. Possible Approaches to Anomaly Detection • Neural networks • Expert systems • Statistical decision theory

  26. Network-based IDS • Characteristics • NIDS examine raw packets in the network passively and triggers alerts

  27. Network-based IDS • Advantages? • Easy deployment • Difficult to evade • Disadvantages? • NIDS needs to create traffic seen at the end host • Need to have the complete network topology and complete host behavior

  28. Host-based IDS • Characteristics • Runs on single host • Can analyzelogs, integrity of files and directories, etc.

  29. Host-based IDS • Advantages • More accurate than NIDS • Less volume of traffic so less overhead • Disadvantages • Deployment is expensive • What happens when host get compromised?

  30. Honey Pots and Burglar Alarms • Burglar alarms are resources on the network that generate an alarm if accessed incorrectly. • Honey pots are burglar alarms dressed up to look attractive. • Have to look real to the attackers

  31. Intrusion Detection Using Honey Pot • Honey pot is a “decoy” system that appears to have several vulnerabilities for easy access to its resources. • It provides a mechanism so that intrusions can be trapped before attack is made on real assets.

  32. Intrusion Detection Using Honey Pot (cont.) Multi-level Log Mechanism (MLLM) • MLLM logs the attacker’s activities into • Remote Log Server • Sniffer Server

  33. Intrusion Detection Using Honey Pot (cont.) An Architecture for Intrusion Detection using Honey Pot

  34. IDS Placement

  35. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

  36. Attacks to the IDS • Overload until IDS fails to keep up with the data • Overload packet filter (easy) • Overload event engine (difficult because events are light weighted and attacker doesn’t know policy script) • Overload Logging/Recording mechanism

  37. Attacks to the IDS An Subterfuge attack attempts to mislead the IDS to the meaning of the analyzed traffic

  38. IDS Software • Snort­ Free, libpcap based, rules driven IDS package. Many add-on components available. • …

  39. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

  40. What Is a Gateway IDS? • Gateway Intrusion Detection System • A network intrusion detection system which acts as a network gateway • Designed to stop malicious traffic and generate alerts on suspicious traffic • An “ideal” gateway IDS is able to stop all known exploits

  41. GIDS Acts as network gateway Stops suspect packets Prevents successful intrusions False positives are VERY bad NIDS Only observes network traffic Logs suspect packets and generates alerts Cannot stop an intruder False positives are not as big of an issue GIDS vs NIDS

  42. About Inline Snort • Based on the Snort intrusion detection system • Operation is similar to some bridging firewalls • Uses snort rules with some additional keywords to make forward/drop decisions • Compatible with most snort plugins • Freely available under the GPL

  43. Inline Snort • drop Drops a packet, sends an rst, logs the packet • ignore Drops a packet without sending an rst • sdrop Drops a packet, sends an rst, does not log the packet

  44. Content Replacement It can replace content in a packet • “replace” keyword tells hogwash to replace a detected string with another string. • Example: alert tcp any any -> $IIS_SERVERS 80 (content:”cmd.exe”; replace:”yyy.yyy”;) • Any content in the packet payload can be replaced. • A great way to break an exploit without dropping the packet!!

  45. Sample snort Rules • To drop incoming port 80 connections: drop tcp any any -> $HOMENET 80 (msg:”Port 80 tcp”) • To drop cmd.exe calls to your webservers: drop tcp any any -> $HOMENET 80 (msg:“cmd.exe attempt”; content: “cmd.exe”)

  46. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

  47. Host-based Intrusion Detection Anomaly detection: • IDS monitors system call trace from the app • DB contains a list of subtraces that are allowed to appear • Any observed subtrace not in DB sets off alarms App allowedtraces IDS Operating System

  48. HIDS’ Advantages over NIDS • HIDS can monitor user-specific activity of the system • Check process listing, local log files, system calls. • It is difficult for NIDS to associate packets to specific users (except when content switch-based NIDS is used!) and to determine if the commands in the packets violate specific user’s access privilege.

More Related