1 / 27

Distributed Intrusion Detection

Distributed Intrusion Detection. Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay. Overview. What is intrusion ? Dealing with intrusion Intrusion detection principles Our problem definition Packages analyzed Our approach Experiments and Results Conclusions. What is intrusion ?.

taline
Download Presentation

Distributed Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Intrusion Detection Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay

  2. Overview • What is intrusion ? • Dealing with intrusion • Intrusion detection principles • Our problem definition • Packages analyzed • Our approach • Experiments and Results • Conclusions

  3. What is intrusion ? • The potential possibility of a deliberate unauthorized attempt to: • Access information • Manipulate information • Render a system unreliable or unusable • Types of intrusions: • External attacks • Password cracks, network sniffing, machine & services discovery utilities, packet spoofing, flooding utilities, DOS attacks • Internal penetrations – Masqueraders, clandestine users • Misfeasors – authorized misuse

  4. Example attacks • Password cracking • Buffer overflow • Network reconnaissance • Denial of service (DoS) • IP spoofing

  5. Dealing with intrusion • Prevention • isolate from n/w, strict auth, encryption • Preemption • “do unto others, before they do unto you” • Deterrence • dire warnings: “we have a bomb too” • Deflection • diversionary techniques to lure away • Counter measures • Detection

  6. Intrusion Detection principles • Anomaly-based • Form an opinion on what constitutes “normal”, and decide on a threshold to flag as “abnormal” • Cannot distinguish illegal from abnormal • Signature-based • Model signatures of previous attacks and flag matching patterns • Cannot detect new intrusions • Compound

  7. System characteristics • Time of detection • Granularity of data processing • Source of audit data • Response to detected intrusions • passive v/s active • Locus of data-processing • Locus of data-collection • Security • Degree of inter-operability

  8. Host-based v/s Network-based IDS • Host-based IDS • Verifies success or failure of an attack • Monitors specific system activities • Detects attacks that n/w based systems miss • Well-suited for encrypted and switched environments • Near-real-time detection and response • Requires no additional hardware • Lower cost of entry

  9. …contd. • Network-based IDS • Lower cost of ownership • Detects attacks that host-based systems miss • More difficult for an attacker to remove evidence • Real-time detection and response • Detects unsuccessful attacks and malicious intent • Operating system independence • Performance issues

  10. Our problem definition • Portscanning • Our laboratory setup • Multiple machines with similar configuration • Portscan on a single machine • Distributed portscan - Small evasive scans on multiple machines • Aim – Detect such distributed scans

  11. Typical lab setup

  12. Types of Portscans • Scan types: • TCP connect() scan • Stealth SYN scan • Stealth FIN scan • Xmas scan • Null scan • Scan sweeps: • One-to-one, one-to-many, many-to-one, many-to-many

  13. Normal sequence of packets Source Network Messages Target Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send ACK y+1 Receive ACK segment … more packet exchanges Send ACK+FIN+RST Receive ACK+FIN+RST

  14. Stealth SYN scan Source Network Messages Target Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send RST Receive RST

  15. Stealth FIN scan Source Network Messages Target Send FIN Receive FIN

  16. Stealth Xmas scan Source Network Messages Target Send FIN+PSH+URG Receive FIN+PSH+URG

  17. Packages analyzed • Sniffit (http://sniffit.rug.ac.be/sniffit/sniffit.html) • A network sniffer for TCP/UDP/ICMP packets • Interactive mode • Tcpdump (http://www.tcpdump.org) • A tool for network monitoring and data acquisition • Nmap (http://www.nmap.org) • “Network mapper” for network exploration, security auditing • Various types of TCP/UDP scans, ping scans

  18. …contd • Portsentry (http://www.psionic.com/abacus/portsentry) • Host-based TCP/UDP portscan detection and active defense system • Stealth scan detection • Reacts to portscans by blocking hosts • Internal state engine to remember previously connected hosts • All violations reported to syslog • Snort (http://www.snort.org) • Network-based IDS – real-time analysis and traffic logging • Content searching/matching to detect attacks and probes – buffer overflows, CGI attacks, SMB probes, OS fingerprinting attacks • Rules language to describe traffic to collect or pass • Alerts via syslog, user files, WinPopUp messages • 3 functional modes – sniffer, packet logger, NIDS

  19. …contd • Portsentry • Binds to all ports to be monitored • A static “list” of ports monitored • State engine – different hosts • Snort • Preprocessor – connections to P ports in T seconds • V1.8 – only one-to-one and one-to-many portscans detected

  20. Our approach • Pick up network packets • Based on which type of portscan is to be analyzed, identify the scan signature • Add each source and target IP address, to the correlation lists • Use the correlation lists to infer the scan sweep – one-to-one, one-to-many, many-to-one, many-to-many

  21. Experimental Setup

  22. Detection algorithm • Examine each TCP packet on the network. • Extract source and target IP addrs and ports. • For each scan type to be detected, maintain a list of “valid” connections. • When a scan signature is detected, add source and target IP addrs to 2 correlation lists pointed to by srcIP and tarIP, remove entry from connections list.

  23. …contd • Identical correlation lists record source and target IP addrs info, along with number of scans. • Scan sweeps one-to-one, one-to-many, many-to-one, and many-to-many are detected by passes thru the correlation lists.

  24. Experiments One-to-one scan One-to-many scan

  25. …contd Many-to-one scan Many-to-many scan

  26. Conclusions • All the scans performed by nmap were detected successfully by our detector and the correlations were accurate. • Some stray incidents of ident lookups did get classified as scans, due to the way closed ports behave.

More Related