1 / 60

ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture

ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture. Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com. Intrusion Prevention. Prevention : This should/must never be broken in!

ghalib
Download Presentation

ecs236 Winter 2006: Intrusion Detection #1: IDS Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ecs236 Winter 2006:Intrusion Detection#1: IDS Architecture Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com ecs236 winter 2006

  2. Intrusion Prevention • Prevention: This should/must never be broken in! • “This” means a perfectly designed, implemented, and managed/configured secure system! ecs236 winter 2006

  3. Intrusion Detection • Prevention: This should/must never be broken in! • Detection: “This” will need to face the reality check! • We had, have, will have so many “expected” unexpected. • Industry never really serious about cyber security – profit/market-driven ecs236 winter 2006

  4. We accept it as a fact… ecs236 winter 2006

  5. And, we have to have… ecs236 winter 2006

  6. Intrusion Detection • Prevention: This should/must never be broken in! • Detection: “This” will need to face the reality check! • We had, have, will have so many “expected” unexpected. • We had, have, will have even more “unexpected” unexpected!! ecs236 winter 2006

  7. To: All Faculty, Staff and Students On Tuesday, January 03, 2006, UC Davis implemented temporary measures to prevent the exploitation of a serious new computer vulnerability for which no patch is yet available. This vulnerability affects Windows 2000, Windows XP, Windows Server 2003, Windows 98 and ME systems and may be exploited when infected email file attachments or infected Web pages are viewed. Once a computer is infected, data may be permanently lost and/or a remote attacker could gain control of the computer. After extensive consultation with the campus leadership, the decision has been made to temporarily block wmf image attachments. These files can have a number of different extensions, but most commonly will have .wmf and .jpg extensions. ecs236 winter 2006

  8. Max-Sequence # Attack • Block LSA updates for one hour by injecting one bad LSA. • You can hit it once and come back in an hour. • Implementation Bug! • Two independently developed OSPF packages. • MaxSeq# LSA Purging has not been implemented correctly!! • Announced in May, 1997. ecs236 winter 2006

  9. What is Intrusion Detection? ecs236 winter 2006

  10. Intrusion Detection • Detecting intrusions such as • Viruses, Worms, Spywares, Phishing, Spamming, Insider, Un-authorized activities, faults/failures, among many others • Detecting and Managing anything “unexpected” • Anomalies • Question: “Detecting what??” ecs236 winter 2006

  11. Intrusion Detection Model Input event sequence Results Intrusion Detection ecs236 winter 2006

  12. Results?? • This email contains virus XYZ • This email might be a spam with 80% probability • This email is somewhat trusted based on your social network • This email might be malicious • This email might be malicious for reasons ABC and DEF. ecs236 winter 2006

  13. Intrusion Detection Model Input event sequence Results Intrusion Detection Pattern matching ecs236 winter 2006

  14. IDS Events • TCPdump traces • OS kernel and Host-level information • BGP traces • Application Logs • Many others… ecs236 winter 2006

  15. Anti-Virus Virus Definition Input event sequence Results Virus Detection Pattern matching ecs236 winter 2006

  16. Credit Card Fraud Detection Spending Patterns Input event sequence Results Fraud Detection Statistical Pattern Matching ecs236 winter 2006

  17. SNORT Rules Input event sequence Results Pattern matching ecs236 winter 2006

  18. Welcome to ecs236 • S. Felix Wu • sfelixwu@gmail.com, x4-7070 • Office: 3057 Engineering II • Office Hours: • 2-3 p.m. on Tuesday and Friday • by appointment ecs236 winter 2006

  19. Intrusion Detection • Practical Engineering • Performance, Accuracy, Scalability, CPU/Memory, Correlation, Deployment. • Theoretical Foundation • Detectability/Limitation, Dimensionality, Entropy, False Negative and Positive, Evaluation ecs236 winter 2006

  20. In this quarter… • The architecture of ID and IDS • Stateful versus stateless • Signature, specification, anomaly • Analysis of ID Results • Explanation and Analysis • Event Correlation • IDS Evaluation or Attacking IDS • Attack Polymorphism and IDS Evasion • IDS Fundamental Principles • A balance between  • Engineering a High-Performance IDS system • Fundamentally understand our limitations ecs236 winter 2006

  21. Starter: SNORT • Understand the architecture and source code • How to evaluate SNORT? • What is the most critical performance bottleneck of SNORT? • Is SNORT stateful or stateless? Why? • What are the pros and cons regarding SNORT versus Bro? http://www.snort.org/ ecs236 winter 2006

  22. Syllabus • SNORT IDS engine • Anomaly-based Approach • Event Correlation and Analysis • IDS Evaluation • Advanced Research Topics ecs236 winter 2006

  23. Course Requirements • 30%: Starter • 15%: Proposal • 30%: Final Project • 25%: Class Participation • “develop interesting/creative research problems related to the lectures/reading assignments, and justify the reasons” • And, you need to interact with the instructor! • 5 of them  5% each (1~2 pages) ecs236 winter 2006

  24. Final Projects • Polymorphic/Metamorphic Worm detection • Integration of Network/Host IDSes • Anomaly Detection in SNORT • IDS Evaluation using TCPopera • SNORT event correlation and explanation • Stateful SNORT • SNORT evasion ecs236 winter 2006

  25. about Web site • http://www.cs.ucdavis.edu/~wu/ecs236/ • all lectures, notes, announcements, homework assignments, tools, papers will be there. ecs236 winter 2006

  26. Let’s start it… • SNORT 2.4.3 • You might need to install the PCRE (Perl Compatible Regular Expression) package. • Get it compile and install • Any platform you like… ecs236 winter 2006

  27. Snort • Open Source, since 1998 • Used by many major network security products • Signature-based (more than 3000+) • Simple IP header protocol anomaly detection • Simple stateful pattern matching ecs236 winter 2006

  28. The Spirit of SNORT • They started with something very simple and extensible. • If we feel we need the XYZ feature (due to an attack like STICK), we will write a plug-in for XYZ!! • An evolving system • But, not sure how much in the future… ecs236 winter 2006

  29. Signature-base NIDS Martin Overton, “Anti-Malware Tools: Intrusion Detection Systems”, European Institute for Computer Anti-Virus Research (EICAR), 2005 Signature found at W32.Netsky.p binary sample Rules for Snort: ecs236 winter 2006

  30. Signature-based Rule alerttcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established content:"|eb2f 5feb 4a5e 89fb 893e 89f2|" msg:"EXPLOIT x86 linux samba overflow" reference:bugtraq,1816 reference:cve,CVE-1999-0811 classtype:attempted-admin ecs236 winter 2006

  31. SNORT Rules • Alert • Pass • log ecs236 winter 2006

  32. ecs236 winter 2006

  33. False Alarm Rate versus False Positive Rules 101 events 100 good + 1 bad 2 alerts 1 good + 1 bad Pattern matching False Alarm Rate = 50% False Positive = 1% ecs236 winter 2006

  34. STICK SNORT rules STICK Attack Packets Stateless SNORT Alerts ecs236 winter 2006

  35. What Alerts do we want? • This is an administrative/policy issue. • Do I want to know this? • Idea: How can we rank the information quantitatively (in a meaningful way)? • Maybe it is hard to rank “one particular alert” • But, it is much more useful to rank “a sequence of alerts/events”  Correlation & Anomaly Detection!! ecs236 winter 2006

  36. ecs236 winter 2006

  37. ecs236 winter 2006

  38. Preprocessor • Stream4 • Frag2 • Telenet_negotiation • HTTP normalization • RPC_decode • Portscan • Back Orifice ecs236 winter 2006

  39. Experimental Pre- • Arpspoof • Asn1_decode • Fnord (NOP detection) • portscan2 ecs236 winter 2006

  40. ecs236 winter 2006

  41. ecs236 winter 2006

  42. RTNRule Tree Node ecs236 winter 2006

  43. RTN/OTNMatrixOptional Tree Node alert tcp any any -> 192.168.1.0/24 111(content:”|00 01 86 a5|”; msg:”mountd access”;) ecs236 winter 2006

  44. ecs236 winter 2006

  45. SNORT Rules • Dynamic • Activation • Alert • Pass • log ecs236 winter 2006

  46. ecs236 winter 2006

  47. ecs236 winter 2006

  48. Fast Multiple Patterns • Wu-Manber (Bad-word shift) • Consume the least amount of memory • Aho-Corasick (FSM) • Fast, potential for parallelism and FPGA • Boyer-Moore (Bad-word shift) • For small rule sets ecs236 winter 2006

  49. Initial State h e s S Transition Function h S State h r h s e i h S Accepting State h i S h s S h h S 5 0 4 3 6 9 2 7 1 8 r h S (Edges pointing back to State 0 are not shown). • Example: P = {he, she, his, hers} • The Construction: linear time. • The search of all patterns in P: linear time ecs236 winter 2006

  50. Distance content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; ecs236 winter 2006

More Related