390 likes | 493 Views
Survey of Information Assurance. Intrusion Detection systems. Agenda. The Early Systems Network Based Detection Architecture Benefits Challenges Host Based Detection Architecture Benefits Challenges Detection Mechanisms. Scope of Discussions.
E N D
Survey of Information Assurance Intrusion Detection systems
Agenda • The Early Systems • Network Based Detection • Architecture • Benefits • Challenges • Host Based Detection • Architecture • Benefits • Challenges • Detection Mechanisms
Scope of Discussions Details of signature matching algorithms not covered. Validity of data collected by an IDS from legal point of view not discussed. Data Mining Techniques and data refinement is not discussed. Business aspect of Intrusion detection not covered.
IDS – systems that collect information from a variety of system & network resources, and then analyze the information for signs of intrusion and misuse.
Flaws of early IDS • No platform independence - IDS could not analyze data from systems other than the one it was designed for. i.e. the systems were OS specific. • No system independence – IDS could not process data from systems other than the original targets to which they had been designed. • Bad UI – The user interfaces were far from intuitive due to research nature of these projects.
Types of IDS • Network Based Intrusion Detection Systems • System is used to analyze network packets, i.e. the data sent out of the host interface. • Packets are usually “sniffed” off the network. • The IDS is uniquely positioned to detect access attempts and DOS attacks originating from outside • Host Based Intrusion Detection Systems • Analyze data originating at the host • Have no access/monitoring for data in the network or data originating at other hosts.
Network Based IDS • Unauthorized access • Unauthorized login • Jump-off Point for other Attacks • Data/Resource Theft • Password Downloads • Bandwidth Theft • DOS – denial of service • Malformed Packets • Packet Flooding • Distributed DOS
A – Architecture B – Benefits C – Challenges A B C of network based IDS
Network Based IDS - Architecture • Sensors are deployed across the network that report to a central console. • Sensors: Self contained detection engines that obtain packets in the network, search for intrusion-like behavior and send information back to central console. • Types: • Traditional Sensor: sensors monitor network segments, not individual machines. • Network Node: An agent is placed on each machine in the network, which monitors only traffic received by given machine.
A Standard Network IDS Command Console Network sensor TCP/IP Records Detection Engine Network Packets 3 Log 2 1 Alert 5 Security Officer 6 Response Subsystem 4 9 Report 8 Data Forensics 7 Data Base
Traditional Sensor based Architecture • Steps: • A packet is sent (by anyone) on or outside the network. • It is sniffed by the sensor • The sensor-resident detection engine examines the packet for pre-defined misuse patterns. When some pattern is detected, an “Alert” is sent to central console. • Security Officer is notified. • A response is generated. It may be automated or directed by security officer. It may include reconfiguration of sensor/router/firewall. • A log entry is made. • A comparison is made with data base and report is created. • The incident is stored in data base to establish any long-term trend using Data Forensics.
A Sensor Based Network IDS Command Console Network sensor TCP/IP Records Detection Engine 4 Log 1 2 3 Network Packets Alert 5 Security Officer 6 Response Subsystem 9 Report 8 Data Forensics 7 Data Base
Distributed Network-Node Architecture • Steps: • A packet is sent (by anyone) on or outside the network. • It is sniffed by the sensor placed on destination machine. • The sensor-resident detection engine examines the packet for pre-defined misuse patterns. When some pattern is detected, an “Alert” is sent to central console. • Security Officer is notified. • A local response is generated. • A log entry is made. • A comparison is made with data base and report is created. • The incident is stored in data base to establish any long-term trend using Data Forensics.
A Distributed Network Node IDS Command Console Network sensor TCP/IP Records 8 Report 7 Data Forensics 1 Network Packets Security Officer Alert Detection Engine 3 4 5 6 Data Base 2 Local Response
Network Based IDS: Benefits • Outsider Deterrence • Responding to attack attempt with Legal Notice, e-mail warning etc. • Detection • Signature matching • Statistical behavioral analysis • Automated Response and Notification • Notify System Administrator • Reconfigure router/firewall to block attacking Source Address
Network Based IDS: Challenges • Packet Reassembly • 1998 Ptacek and Newsham’s paper “Insertion, Evasion, and DOS: Eluding Network Intrusion Detection” • High Speed Networks • Sniffer Detection Programs • Antisniff (1999) • Switched Networks • ATM • Encryption
Host Based IDS • Abuse of privilege • Administrative lapse (incorrect privilege assignment, domain addition, ex-employee • Privileged user disclosing data • Changes in Security Configuration • Admin rights to user, WFH user laptops • Guest Account • Open registry (windows NT defaults) • Legal Notice Missing
A – Architecture B – Benefits C – Challenges A B C of HOST based IDS
Host Based IDS - Architecture • Usually Agent based • Agent: An executable that runs on target host and communicates with a Central Command Console. • Types: • Centralized Host Based Architecture • Distributed Real-Time Architecture • Agentless Host-Based Intrusion Detection
Centralized Host Based Architecture • Steps: • An event record is created (a program executed, a file accessed, etc.) • The agent centralizes the audit file to CC (Command Console) • Detection engine processes the file • Log is created • Alert is generated
Centralized Host Based Architecture (contd…) • Security Officer is notified • Response is generated • The alert is stored • Raw data is moved to data archive • Reports are generated
A Centralized Host Based IDS Command Console Target Host Audit Subsystem Detection Engine Audit Data 3 Log 2 1 Raw Data Centralized Collector Alert 5 Security Officer 6 Response Subsystem 4 9 Report 8 Data Forensics 7 Data Base
Distributed Real-Time Architecture • Steps: • An event record is born • The file is read in REAL-TIME and processed through target-resident engine • Security Officer is notified • Response is generated • The alert is generated and sent to central console • Data Forensics is used to look for long term trends; no raw data archive or statistical data • Reports are generated
A Distributed Real-Time Host IDS Command Console Target Host Audit Subsystem 8 Report 7 Data Forensics 1 Audit Data Security Officer Alert Detection Engine 3 4 5 6 Data Base 2 Local Response Collector
Agent Less Architecture • There are no host-based agents • The Central console monitors systems through API that provides it with a “remote control” of the data source • Example: Windows NT/2000 has an API with such capabilities. Kane Security Monitor makes use of this facility.
Host Based IDS: Benefits • Insider Deterrence • Detection • Notification and Response • Log off user/Disable account • Execute local script • Damage Assessment • Attack Anticipation • Prosecution Support
Host Based IDS: Challenges • Performance • Case of Distributed Real-Time Architecture • Deployment/Maintenance • Compromise • Disabling or shutting of user agent • Spoofing • Inserting into audit records • Erasing audits
Network Based Signatures Host Based Signatures Detection mechanisms
Network Based Signatures (1 of 2) • Packet Content Inspection • The packet data (payload) is inspected for patterns or signatures. • Example: FTP Site Exec Pattern within data (c7a5 db87 c7a5 db01) exec cat /etc/passwd\r\n
Network Based Signatures (2 of 2) • Packet Header Inspection • The packet header is inspected for patterns or signatures. • Example: • Broadcast Attack • Land Attack
Host Based Signatures • Single Event Signatures • Writing to an executable • Access flags “WriteData” “WriteAttributes” “WriteEA” “AppendData” etc. • Multi Event Signatures • Repeated Failed Logins • Multi-Host Signatures • Events distributed over multiple hosts
Limitations of IDS • Not an answer to primary network security issues • Requires a standard firewall and malware protection system • May not be able to detect new attack but does provide data to trace such activity.
Latest trends: IDS and IPS • IPS – Intrusion prevention systems. IPS is much more active when compared to IDS and hence seen as better security technology. • IDS/IPS functionality is usually incorporated into the firewall or VPN. • These technologies can be used for rate-limiting a particular kind of data. • More of L7 analysis being incorporated into IDS/IPS systems
References • Content and Diagram-references from The Practical intrusion Detection Handbook by Paul E. Proctor • http://www.sans.org/resources/idfaq/what_is_id.php?portal=3ddecea0aa1dd75e13d0c7f68b7a57eb • http://www.networksecurityjournal.com/intrusion-detection/ • http://www.networksecurityjournal.com/features/current-trends-in-ids-ips-052907/