1 / 18

Intrusion Detection (ID)

Intrusion Detection (ID). Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID Host-based Detects intrusions based on information found in the host Network-based Detects intrusions based on study of network flows.

xerxes
Download Presentation

Intrusion Detection (ID)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection (ID) • Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity • There are two methods of doing ID • Host-based • Detects intrusions based on information found in the host • Network-based • Detects intrusions based on study of network flows.

  2. Intrusion Detection (ID) • There are then two way to approach ID • Knowledge-based • The id has a “signature” pattern that is unacceptable. • Behavior-based • The id has a pattern of usage, and looks for changes in that behavior.

  3. Host-based ID • Uses the systems own auditing tools to detect an intrusion. • Log files • Network traffic in and out of a single computer (personal firewalls and host wrappers) • Process monitoring • Disk usage • File system changes

  4. Host-based ID • Log files can tell: • When a user login/out • How they logged in (console/telnet/ftp/ssh) • Login attempts and failures • Who gained super user / administrator access • From whom mail was received/sent • When the machine was rebooted • Any loggable anomalous behavior

  5. Host-based ID • Log files should be protected. • They are one of the most likely files to be modified if an intrusion takes place. • Make sure permissions of the logs keeps the file(s) secure…and even unreadable to a hacker. • Try mirroring the log file to another machine that the hacker most likely won’t be able to access.

  6. Personal Firewalls • We all know about personal firewalls by now. But… • Make the firewall create logs. It can make you aware of attempted access. • If you just block traffic you will never know: • what hackers are trying to get to (to protect other systems) • Where the hackers are coming from • If there are other related issues

  7. Host Wrappers • Used to allow access to certain server programs. • Can limit based on time of day, repetition. • Can limit based on ip address /domain • Can limit based on ip address / domain and service requested. • Popular host wrappers are • Unix: TCPWrapper • Windows: NukeNabber

  8. Process Monitoring • By monitoring running processes you can see if applications are running that are not supposed to • Unix: • ps (list running processess) • lsof (list of open files) • process accounting (if kernel configured) • Windows • Task manager

  9. Disk Usage • Sudden increases / reductions in disk storage could indicated an intrusion • Use quotas • Unix tools • df (disk usage of partitions) • du (storage in a directory) • Windows • Properties under “My Computer”

  10. File system changes • Monitor your system for file changes • Size • Modification date • File permissions • Ownership • Location on the hard drive (sector or inode number) • Popular tools are • Tripwire (www.tripwire.com) • symantec (www.symantec.com) • ISS by IBM, (www.iss.net)

  11. Network-based ID • Generally done by putting a network card in promiscuous mode and monitoring all the traffic • With a knowledge-based approach, packets are considered “interesting” if they match a “signature” • There are 3 different type of signatures • String • Port • Header condition

  12. Network-based ID • String signatures look for certain strings inside of a packet. Like “password”, “rhosts”, “su”, etc • Port signatures watch for connections to well know ports that have security problems (nfs) or are frequently attacked (ftp, telnet, imap) • Header condition signatures look for malformed headers. • SIN/FIN packet (not allowed) • Extremely large window size • Urgent flag for the NetBios packet (WinNuke)

  13. Network-based ID • Well-known, network-based intrusion detection systems include: • Symantec (www.symantec.com) • Cisco (www.cisco.com) • ISS by IBM(www.iss.net) • SNORT (www.snort.org)

  14. Knowledge Based ID • Almost all ID systems are knowledge based • The ID contains info about known attack methods and detects them • Only as good as the “signatures” in the IDS. • Signatures must be updated constantly • Very good at detecting an intrusion • Very low false alarm rate • Gives a good trace of how to harden your system • Good analysis of the intrusion with evidence that can be used to “get” the intruder.

  15. Knowledge Based ID • Draw backs include: • Only detects known intrusions • Closely tied to the operating system and programs running on it. • Very difficult to configure a new intrusion without catching valid access.

  16. Behavior Based ID • Works by detecting a change in “normal” behavior. • Normal behavior is gotten by monitoring the system for a period of time. • Then this model of normal behavior is compared to current activity. If there are a difference between the model “norm” and current activity, an alarm is sent.

  17. Behavior Based ID • Advantages: • Can see new and unforeseen attacks • Less dependant on OS specific mechanisms • Can even see ‘abuse of privilege’ which is not necessarily an attack … just an abuse • It is considered paranoid. Any change from “normal” is bad until incorporated into the “normal” pattern. • Disadvantages • Many false alarms • Difficult to get “normal” behavior • Behavior changes in time • An attack can be “learned” as normal behavior if it occurs during the learning phase

  18. Intrusion Detection • Both the host based and network based ID should be used to protect your system. • http://www.sans.org/resources/idfaq/

More Related