1 / 41

An Overview of Intrusion Detection & Countermeasure Systems – Research Directions

An Overview of Intrusion Detection & Countermeasure Systems – Research Directions. Fernando C. Colon Osorio Computer Science Department Worcester, MA 01609. Outline. Motivations A Model of an Intrusion Basic Approaches The Measurement Problem Research Directions Conclusions.

raanan
Download Presentation

An Overview of Intrusion Detection & Countermeasure Systems – Research Directions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An Overview of Intrusion Detection & Countermeasure Systems – Research Directions Fernando C. Colon Osorio Computer Science Department Worcester, MA 01609 PEDS II - 10072002

  2. Outline • Motivations • A Model of an Intrusion • Basic Approaches • The Measurement Problem • Research Directions • Conclusions PEDS II - 10072002

  3. Historical Perspective • Circa 1972 • John T. Draper discovered that he could make a free long-distance telephone call using a whistle from Cap’ Crunch cereal box. The whistle emitted a 2,600-hertz tone that got him into the internal authorization system at the phone company. With a noisy device known as “blue box”, Draper – soon to be known as Cap’n Crunch – made it possible free long distance calls for many. And so was born the modern technology of hacking (“cracking”) , maneuvering through security walls, rig something to avoid conventional protocols, … PEDS II - 10072002

  4. Motivations • In the last five-(5) years, the frequency and nature of attacks by “crackers” (inside and outside threats) has grown exponentially, see Figure 1. PEDS II - 10072002

  5. Exponential Growth of Intrusions PEDS II - 10072002

  6. Motivations • In the last five-(5) years, the frequency and nature of attacks by “crackers” (inside and outside threats) has grown exponentially, see Figure 1. • It has been reported that in a major eCommerce site – 40 to 60% of IT resources during a six month period were devoted to dwarfing attacks. • Avivah Litan, a financial analyst for research firm Gartner, estimates that fraud cost e-tailers $700 million in lost merchandise last year alone. A Gartner study also shows that 5.2 percent of online shoppers have been victimized by credit card fraud and 1.9 percent by identity theft. • Further, in a twelve month period, see Table 1 below, at least six major break-ins have occurred, and the perpetrators have not been caught. PEDS II - 10072002

  7. Motivations, contn… PEDS II - 10072002

  8. Motivations, contn… Needless to say, this is a real BIG!!! Problem for the industry and government. PEDS II - 10072002

  9. Why the exponential increase? • Obviously, low cost powerful workstations and PC’s for under $ 2K • The exponential growth of the web - # of connected computers via a network!!! • eCommerce companies during the dot com boom, circa 1997-2001, rushed to deploy their sites on-line giving little or no consideration to the problem of security. • In spite of the significant increase in the identification and elimination of software flaws, the corresponding increase in the complexity of software systems (e.g., WINDOWS XP today is 40 MB) has actually made the problem worst. Furthermore, a recent study by CERT/CC, and SecurityFocus.com [9] has shown that the rate at which new vulnerabilities, easily exploitable by hacker is growing is exponentially. PEDS II - 10072002

  10. Why?, contn • In a single Phrase Software/Systems functionality increase vs. Size/Complexity crisis!!! PEDS II - 10072002

  11. Intrusion Detection System – Definition Formal Definition [10], [11] “Intrusion Detection (ID) is the problem of identifying individuals who are using,or attemptingto use a computer system without authorization (i.e., crackers) and those who have legitimate access to the system but are abusing their privileges (i.e., the insider threat”). PEDS II - 10072002

  12. Intrusion Timeline System is Secure/Dependable Œ  Mth Nth System is Secure/Dependable MTBASI MTTID MTTCI Attacks Begin MTBSI System is ~ Secure/Dependable Intrusion Detected by IDS and/or IDCS Nth Intrusion Attempt (Success) Mth Intrusion Attempt (Success) 1st Intrusion Attempt Intrusion Countermeasures Launched 2nd Intrusion Attempt PEDS II - 10072002

  13. Intrusion Timeline System is Secure/Dependable Œ  Mth Nth System is Secure/Dependable Attack Is Successful MTBASI MTTID MTTCI MTBSI System is ~ Secure/Dependable Intrusion Detected by IDS and/or IDCS Nth Intrusion Attempt (Success) Mth Intrusion Attempt (Success) 1st Intrusion Attempt Intrusion Countermeasures Launched 2nd Intrusion Attempt PEDS II - 10072002

  14. Intrusion Timeline System is Secure/Dependable Œ  Mth Nth System is Secure/Dependable Diagnosis Region MTBASI MTTID MTTCI MTBSI System is ~ Secure/Dependable Intrusion Detected by IDS and/or IDCS Nth Intrusion Attempt (Success) Mth Intrusion Attempt (Success) 1st Intrusion Attempt Intrusion Countermeasures Launched 2nd Intrusion Attempt PEDS II - 10072002

  15. Intrusion Timeline System is Secure/Dependable Œ  Mth Nth System is Secure/Dependable Repair/ Re-Integration Region MTBASI MTTID MTTCI MTBSI System is ~ Secure/Dependable Intrusion Detected by IDS and/or IDCS Nth Intrusion Attempt (Success) Mth Intrusion Attempt (Success) 1st Intrusion Attempt Intrusion Countermeasures Launched 2nd Intrusion Attempt PEDS II - 10072002

  16. Intrusion Timeline System is Secure/Dependable Œ  Mth Nth System is Secure/Dependable MTBASI System Operational MTTID MTTCI MTBSI System is ~ Secure/Dependable Intrusion Detected by IDS and/or IDCS Nth Intrusion Attempt (Success) Mth Intrusion Attempt (Success) 1st Intrusion Attempt Intrusion Countermeasures Launched 2nd Intrusion Attempt PEDS II - 10072002

  17. Anomaly vs. Misuse IDS systems In past years, multiple Intrusion Detection systems have been proposed an implemented. All of the proposed systems are based on one or the other of two basic approaches. • anomaly detection • misuse detection. Note: Kumar [13] presents a fairly complete categorization of the most important systems proposed or build thus far. PEDS II - 10072002

  18. Anomaly Detection systems Anomaly detection: • detection of an intrusion, or attempted intrusion, is performed by detecting changes in the statistical behavior of the system, or the behavior of users of the system. • In this approach a statistical model, containing parameterized metrics of the system's operation, is constructed. example, a statistical model that contains metrics on CPU Utilization, I/O requests per second, and so forth, is constructed using historical operational data. • Once the model is constructed, the current behavior of the system is compared against the model, and “significant” statistical deviations from the model are flagged as potential intrusions . PEDS II - 10072002

  19. Problem • For Anomaly Intrusion: • P( Intrusion/ Anomaly Pattern) = P(Anomaly/ Intrusion) * P(Intrusion)/P(Anomaly Pattern) PEDS II - 10072002

  20. Anomaly Detection systems – A Model Let, A1, A2, …, An be n measures used to determine if an intrusion is occurring on a system at any given moment. Each Ai measures a different aspect of the system such As amount of I/O, etc. Let each measure Ai have two values 0, 1. Let I be the hypothesis that the system is under an intrusive attack. Then, the reliability and sensitivity of each measure is given by P(Ai=1/I) and P(Ai=1/-I) Then, the combined belief in I is given by: P(I/A1, A2, …, An) PEDS II - 10072002

  21. Misuse Detection systems Misuse Detection: • fundamental premise behind the misuse model is: Attacks follow a pattern. The pattern of the attack is usually designed to exploit “known” weaknesses in the system. A classical example of such attacks is those that exploit the well known “Buffer Overflow” problem. PEDS II - 10072002

  22. Misuse Detection systems Misuse Detection: • In the Misuse Model of Intrusion Detection, it is assumed that attacks can be precisely encoded in a manner that captures variations and different forms of activities perpetrated by the cracker to exploit the known vulnerabilities or weaknesses of the system. • These patterns or sequence of events are noted as the “signature” of the intrusion. Hence, by matching new “suspected” behavior against all known signatures, then the attack can be dwarfed. PEDS II - 10072002

  23. Intrusion Timeline System is Secure/Dependable System is Secure/Dependable Œ  Mth Nth Realm of Anomalous Detection Techniques MTBASI MTTID MTTCI Realm of Misuse Detection Techniques MTBSI System is ~ Secure/Dependable Intrusion Detected by IDS and/or IDCS Nth Intrusion Attempt (Success) Mth Intrusion Attempt (Success) 1st Intrusion Attempt Intrusion Countermeasures Launched 2nd Intrusion Attempt PEDS II - 10072002

  24. Figure 1 – Generic Intrusion Detection Model [Denning] Audit Trails/ Network Packets/ Application Trails S = { s1, s2, …, sn } Assert New Rules Modify Existing Rules Event Generator Environment Update Profile Activity Profile Rule Set Generate Anomaly Records Clock Generate New Profile Dynamically PEDS II - 10072002

  25. Problems with Current Approaches • Amongst the most important consideration and limitations present in the design of all such systems are the following set of problems. • Problem # 1: Feature selection and pattern categorization. • Simply stated, in Denning’s Model, Figure 1, it is assumed that the event generator can effectively select, a priori, the set of features or measures to monitor which will render an optimal set for Intrusion Detection. • Problem # 2: the problem of adaptation. • Systems have been build and deployed that deal very effectively with threats or intrusions previously reported or categorized. • When previously unseen threats appear, the systems perform poorly. • In the 1999 DARPA - Off-Line Intrusion Detection Evaluation [14], it was reported that the systems under test failed to detect an attack in 17.2 % PEDS II - 10072002

  26. Problems, contn.. • Problem # 3: Fault Tolerance • Resistance to subversion: Systems do fail due to accidental or malicious activities. • system being designed must be able to recover from the traditional forms of failures such as crashes, software failures, and so forth. • System must be able to protect itself from deliberate attempts to compromise it. • Problem # 4: Performance • System must impose minimal overhead on the system is protecting while running. • System must be capable to sustain its performance characteristics under increasing loads and changes in the pattern of usage. PEDS II - 10072002

  27. Problems & Well Known Solutions Present in the IDCS field • Problem # 1: Feature selection and pattern categorization. • Simply stated, in Denning’s Model, Figure 1, it is assumed that the event generator can effectively select, a priori, the set of features or measures to monitor which will render an optimal set for Intrusion Detection. PEDS II - 10072002

  28. Problems & Well Known Solutions Present in the IDCS field honeypot: • A honeypot is a fake or false system to lure the hacker into. It provides another obstacle for the hacker. • honeypot systems are decoy servers or systems set up to gather information regarding an attacker or intruder into your system. • honeypot traps tempt intruders into areas which appear attractive, worth investigating and easy to access, taking them away from the really sensitive areas of your systems. They do not replace other traditional Internet security systems but act as an additional safeguard with alarms. • A honeypot is a resource which pretends to be a real target. A honeypot is expected to be attacked or compromised. The main goals are the distraction of an attacker and the gain of information about an attack and the attacker. PEDS II - 10072002

  29. honeypots honeypots will help you: • notice when you are penetrated • learn how attacks are formed • identify who is attacking you PEDS II - 10072002

  30. honeypot Examples • honeypot Project • http://www.landfield.com/isn/mail-archive/2000/Nov/0124.html • Deception Tool Kit Project • http://www.all.net/dtk/index.html • Specter • http://www.specter.com/default50.htm PEDS II - 10072002

  31. “Specter” – Basic Idea • Virtual Machine (VM) environment • Early Traps • Early detection PEDS II - 10072002

  32. honeypot Tools – “Specter” PEDS II - 10072002

  33. Honeypots Limitations • Hard to Maintain • Human Resource Intensive – Specialize Knowledge • Operating Systems • Network security • Current deficiencies (holes) in both O/S and applications PEDS II - 10072002

  34. Honeynet Honeynet Ì Honeypots Honeynet (Defn) • A network system • All systems are standard production systems • All usage is ~ Production PEDS II - 10072002

  35. Honeynet PEDS II - 10072002

  36. Problems & Well Known Solutions Present in the IDCS field • Problem # 2: the problem of adaptation. • Systems have been build and deployed that deal very effectively with threats or intrusions previously reported or categorized. • When previously unseen threats appear, the systems perform poorly. • In the 1999 DARPA - Off-Line Intrusion Detection Evaluation [14], it was reported that the systems under test failed to detect an attack in 17.2 % PEDS II - 10072002

  37. Figure 1 – Generic Intrusion Detection Model [Denning] Audit Trails/ Network Packets/ Application Trails S = { s1, s2, …, sn } Assert New Rules Modify Existing Rules Event Generator Environment Update Profile Activity Profile Rule Set Generate Anomaly Records Clock Generate New Profile Dynamically PEDS II - 10072002

  38. Figure 2 – A simplified Intrusion Detection Engine S = { s1, s2, …, sn } Decision Engine fg (y, S, M, P(n), T, G ) Environment Clock a = {a1, a2, …, an } Memory of IDS (Rule Set/ Activity Profile Create New Rules/Profiles Modify Existing Rules/Profiles PEDS II - 10072002

  39. Intrusion Detection Models PEDS II - 10072002

  40. A network Model • A trust function Tij (t) for i ¹ j, exist between two nodes, it is not necessarily symmetrical. • The trust function Tij (t) changes over time. • In addition, the lack of trust between two nodes will be denoted as having a trust relationship of zero value, Tij (t) = 0. • In the above example, Node a is the source of the intruder attack, while Node h is the target of the attack. Note that, the path for the intruder is • Path 1: a Ü e Ü g Ü h • Path 2: a Ü b Ü e Ü g Ü h • Path 3: a Ü d Ü g Ü h • This topological constraint amongst nodes in a network has a significant advantage over other approaches. That is, it allows the designer of the IDC System to create multiple logical layers of defense against intruders, in effect, creating time to detect potential intrusions and dwarfed them. • Example • Let’s say that nodes b and e suspect an intrusion by using traditional audit methods. Then, nodes b and e can invoke a state change on their trust relationships with other nodes in such a way that, Taj (t) = 0 for all j ¹ a and t > t of intrusion; and Equation 1: Tej (t) = 0 for all j ¹ e and t > t of intrusion. PEDS II - 10072002

  41. Conclusions • A new model based on Byzantine General’s problem will be investigated. • Research Area is prime for discovery. PEDS II - 10072002

More Related