270 likes | 525 Views
Distributed Intrusion Detection. Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay. Overview. What is intrusion ? Dealing with intrusion Intrusion detection principles Our problem definition Packages analyzed Our approach Experiments and Results Conclusions. What is intrusion ?.
E N D
Distributed Intrusion Detection Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay
Overview • What is intrusion ? • Dealing with intrusion • Intrusion detection principles • Our problem definition • Packages analyzed • Our approach • Experiments and Results • Conclusions
What is intrusion ? • The potential possibility of a deliberate unauthorized attempt to: • Access information • Manipulate information • Render a system unreliable or unusable • Types of intrusions: • External attacks • Password cracks, network sniffing, machine & services discovery utilities, packet spoofing, flooding utilities, DOS attacks • Internal penetrations – Masqueraders, clandestine users • Misfeasors – authorized misuse
Example attacks • Password cracking • Buffer overflow • Network reconnaissance • Denial of service (DoS) • IP spoofing
Dealing with intrusion • Prevention • isolate from n/w, strict auth, encryption • Preemption • “do unto others, before they do unto you” • Deterrence • dire warnings: “we have a bomb too” • Deflection • diversionary techniques to lure away • Counter measures • Detection
Intrusion Detection principles • Anomaly-based • Form an opinion on what constitutes “normal”, and decide on a threshold to flag as “abnormal” • Cannot distinguish illegal from abnormal • Signature-based • Model signatures of previous attacks and flag matching patterns • Cannot detect new intrusions • Compound
System characteristics • Time of detection • Granularity of data processing • Source of audit data • Response to detected intrusions • passive v/s active • Locus of data-processing • Locus of data-collection • Security • Degree of inter-operability
Host-based v/s Network-based IDS • Host-based IDS • Verifies success or failure of an attack • Monitors specific system activities • Detects attacks that n/w based systems miss • Well-suited for encrypted and switched environments • Near-real-time detection and response • Requires no additional hardware • Lower cost of entry
…contd. • Network-based IDS • Lower cost of ownership • Detects attacks that host-based systems miss • More difficult for an attacker to remove evidence • Real-time detection and response • Detects unsuccessful attacks and malicious intent • Operating system independence • Performance issues
Our problem definition • Portscanning • Our laboratory setup • Multiple machines with similar configuration • Portscan on a single machine • Distributed portscan - Small evasive scans on multiple machines • Aim – Detect such distributed scans
Types of Portscans • Scan types: • TCP connect() scan • Stealth SYN scan • Stealth FIN scan • Xmas scan • Null scan • Scan sweeps: • One-to-one, one-to-many, many-to-one, many-to-many
Normal sequence of packets Source Network Messages Target Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send ACK y+1 Receive ACK segment … more packet exchanges Send ACK+FIN+RST Receive ACK+FIN+RST
Stealth SYN scan Source Network Messages Target Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send RST Receive RST
Stealth FIN scan Source Network Messages Target Send FIN Receive FIN
Stealth Xmas scan Source Network Messages Target Send FIN+PSH+URG Receive FIN+PSH+URG
Packages analyzed • Sniffit (http://sniffit.rug.ac.be/sniffit/sniffit.html) • A network sniffer for TCP/UDP/ICMP packets • Interactive mode • Tcpdump (http://www.tcpdump.org) • A tool for network monitoring and data acquisition • Nmap (http://www.nmap.org) • “Network mapper” for network exploration, security auditing • Various types of TCP/UDP scans, ping scans
…contd • Portsentry (http://www.psionic.com/abacus/portsentry) • Host-based TCP/UDP portscan detection and active defense system • Stealth scan detection • Reacts to portscans by blocking hosts • Internal state engine to remember previously connected hosts • All violations reported to syslog • Snort (http://www.snort.org) • Network-based IDS – real-time analysis and traffic logging • Content searching/matching to detect attacks and probes – buffer overflows, CGI attacks, SMB probes, OS fingerprinting attacks • Rules language to describe traffic to collect or pass • Alerts via syslog, user files, WinPopUp messages • 3 functional modes – sniffer, packet logger, NIDS
…contd • Portsentry • Binds to all ports to be monitored • A static “list” of ports monitored • State engine – different hosts • Snort • Preprocessor – connections to P ports in T seconds • V1.8 – only one-to-one and one-to-many portscans detected
Our approach • Pick up network packets • Based on which type of portscan is to be analyzed, identify the scan signature • Add each source and target IP address, to the correlation lists • Use the correlation lists to infer the scan sweep – one-to-one, one-to-many, many-to-one, many-to-many
Detection algorithm • Examine each TCP packet on the network. • Extract source and target IP addrs and ports. • For each scan type to be detected, maintain a list of “valid” connections. • When a scan signature is detected, add source and target IP addrs to 2 correlation lists pointed to by srcIP and tarIP, remove entry from connections list.
…contd • Identical correlation lists record source and target IP addrs info, along with number of scans. • Scan sweeps one-to-one, one-to-many, many-to-one, and many-to-many are detected by passes thru the correlation lists.
Experiments One-to-one scan One-to-many scan
…contd Many-to-one scan Many-to-many scan
Conclusions • All the scans performed by nmap were detected successfully by our detector and the correlations were accurate. • Some stray incidents of ident lookups did get classified as scans, due to the way closed ports behave.