1 / 19

Design Lines for a Long Term Competitive IDS

Design Lines for a Long Term Competitive IDS. Erwan Lemonnier KTH-IT / Defcom. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08. Thesis’s subject: An analysis of IDSs difficulties and how to solve them. Two approaches are explored: Designing efficient filters

pekelo
Download Presentation

Design Lines for a Long Term Competitive IDS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom

  2. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Thesis’s subject: An analysis of IDSs difficulties and how to solve them. Two approaches are explored: • Designing efficient filters • Improving IDS architecture (MIDS)

  3. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 Plan of Presentation • Introduction to IDSs • IDS challenges • solution 1: Efficient filter design • solution 2: MIDS, an alternative IDS architecture

  4. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 Introduction to IDSs IDSs are programs monitoring a computer system (network, host) to detect intrusion attempts. Typically made of a sensor, some filters, an alert-flow and a monitoring center. Monitoring Center Alert-flow filter filter filter filter Filter SENSOR API SENSOR Sensor Monitored Data Host / Network Monitored System

  5. Protocol Standard Pratical Usage Attaques Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Sensors: • host based / network based Filters:small programs analyzing sensor data to detect intrusions. Detection Strategies: • Signature • Anomaly detection (protocol anomaly)

  6. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • IDS Challenges • Insertion & Evasion • Alert-flow control • Encrypted traffic • Learning from antiviruses • Technical obstacles

  7. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Insertion & Evasion • Efficient detection theoretically implies knowledge of monitored system’s state and rules • Despite standards, systems are implemented differently. • Ex: different TCP/IP stack implementation • => always make false assumptions on monitored system’s reactions • => possible to shape the traffic so that the IDS accepts a packet but not the monitored system (Insertion) or the contrary (Evasion)

  8. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Alert-flow control challenges • False positives Can not be avoided Increase with traffic • Hiding attacks • IDS evasion • Alert flood • Slow rate attacks • Distributed attacks need for intelligent alert-flow processing components

  9. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Encrypted Traffic • Network based IDS can’t monitor encrypted traffic • Only known solution = decryption proxy • but hard to deploy • ex: https Network Based IDS Decryption Proxy Client HTTP/SSL HTTP Server clear HTTP HTTPS

  10. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Learning from Antivirus • Virus/Antivirus similar to Attacks/IDS • similar techniques (signature, anomaly) • probably similar results, but antivirus are more mature • Evasion race (IDS evasion, polymorphism, etc.) • need for reactive/automated filter updating process • Anomaly detection effective if used with signatures

  11. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Technical obstacles • resistance to fragmentation/insertion/evasion • => efficient TCP/IP stack • monitoring high rate traffic • => load balancing

  12. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Solutions ? • approach 1:improving filters • approach 2:alternative IDS architectures

  13. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Efficient filters: • improves detection & alert-flow control • how ? • mixing signature & anomaly detection • protocol anomaly analysis engine enables • efficient signature matching • internal caching and filtering of alert-flow • reduces volume of alert-flow • more acurate analysis (corelation)

  14. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 Efficient filters: Telnet filter example

  15. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 Efficient filters: TCP filter example

  16. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Alternative IDS structure • IDSs are alert-flow management systems. • Focus on: • multiplying alert sources • merging alert-flows from different sources • processing intelligently the alert-flow

  17. IDS snort alert flow merger Corelation Engine ISS Monitoring Center Host / Network NFR alert-flow Monitored Data Monitored System Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 Suggested Architecture: Multi IDS • multiple IDSs • host & network based • multiple filtering techniques • alert-flow corelation

  18. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 Host based sensors: detect the host side of an attack hidden to network based IDS (evasion, encryption, etc.) Multiple different network based sensors: Many different TCP/IP stack implementation => reduce risk of evasion/insertion Alert-flow merging and processing Merging alert-flow Shaping alert-flow to increase its informational load Alert corelation Data mining solve evasion/insertion, alert flow control & encryption problems

  19. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 • Remaining problems: • reactive/automated filter updating process • => by out-sourcing IDS management to a specialized entity • alert-flows corelation: we are now working on it ! • Conclusion • Intelligent data and alert-flow processing is the future of IDSs.

More Related