Intrusion Detection/Prevention SystemsDefinitionsElements of Intrusion DetectionComponents of Intrusion Detection SystemIntrusion Detection ApproachesMisuse DetectionAnomaly DetectionHost-Based IDSsThe Spread of Sapphire/Slammer WormsNetwork Based IDSsNetwork IDSsHost-based vs. Network-based IDSKey Metrics of IDS/IPSArchitecture of Network IDSFirewall/Net IPS VS Net IDSRelated Tools for Network IDS (I)Slide 17Related Tools for Network IDS (II)Case Study: Snort IDSBackup SlidesProblems with Current IDSsLimitations of Exploit Based SignatureVulnerability SignatureExample of Vulnerability SignaturesNext Generation IDSsCounting Zero-Day AttacksSecurity Information FusionRequirements of Network IDSIntrusion Intrusion Detection/Prevention Detection/Prevention SystemsSystemsDefinitions•Intrusion–A set of actions aimed to compromise the security goals, namely•Integrity, confidentiality, or availability, of a computing and networking resource•Intrusion detection–The process of identifying and responding to intrusion activities•Intrusion prevention–Extension of ID with exercises of access control to protect computers from exploitationElements of Intrusion Detection•Primary assumptions: –System activities are observable –Normal and intrusive activities have distinct evidence•Components of intrusion detection systems:–From an algorithmic perspective:•Features - capture intrusion evidences•Models - piece evidences together–From a system architecture perspective:•Various components: audit data processor, knowledge base, decision engine, alarm generation and responsesComponents of Intrusion Detection System Audit Data PreprocessorAudit RecordsActivity DataDetection ModelsDetection EngineAlarmsDecision TableDecision EngineAction/Reportsystem activities are system activities are observableobservablenormal and intrusive normal and intrusive activities have distinct activities have distinct evidenceevidenceIntrusion Detection Approaches•Modeling–Features: evidences extracted from audit data–Analysis approach: piecing the evidences together•Misuse detection (a.k.a. signature-based)•Anomaly detection (a.k.a. statistical-based)•Deployment: Network-based or Host-based–Network based: monitor network traffic–Host based: monitor computer processesMisuse DetectionIntrusion Patterns:Sequences of system calls, patterns of network traffic, etc.activitiespattern matchingintrusionCan’t detect new attacksExample: if (traffic contains “x90+de[^\r\n]{30}”) then “attack detected”Problems?Anomaly Detectionactivity measuresprobable intrusionRelatively high false positive rates • Anomalies can just be new normal activities.• Anomalies caused by other element faults• E.g., router failure or misconfiguration, P2P misconfig• Which method will detect DDoS SYN flooding ?Define a profile describing “normal” behavior, then detects deviations.Any problem ?Host-Based IDSs•Use OS auditing and monitoring mechanisms to find applications taken over by attacker–Log all relevant system events (e.g., file/device accesses)–Monitor shell commands and system calls executed by user applications and system programs•Pay a price in performance if every system call is filtered•Problems:–User dependent: install/update IDS on all user machines!–If attacker takes over machine, can tamper with IDS binaries and modify audit logs–Only local view of the attackThe Spread of Sapphire/Slammer WormsNetwork Based IDSs•At the early stage of the worm, only limited worm samples. •Host based sensors can only cover limited IP space, which has scalability issues. Thus they might not be able to detect the worm in its early stage.Gateway routersInternetOur networkHost baseddetectionNetwork IDSs•Deploying sensors at strategic locations–For example, Packet sniffing via tcpdum p at routers•Inspecting network traffic –Watch for violations of protocols and unusual connection patterns–Look into the packet payload for malicious code•Limitations–Cannot execute the payload or do any code analysis !–Even DPI gives limited application-level semantic information–Record and process huge amount of traffic–May be easily defeated by encryption, but can be mitigated with encryption only at the gateway/proxyHost-based vs. Network-based IDS•Give an attack that can only be detected by host-based IDS but not network-based IDS•Sample qn:–SQL injection attack•Can you give an example only be detected by network-based IDS but not host-based IDS ?Key Metrics of IDS/IPS•Algorithm–Alarm: A; Intrusion: I–Detection (true alarm) rate: P(A|I)•False negative rate P(¬A|I)–False alarm (aka, false positive) rate: P(A|¬I)•True negative rate P(¬A|¬I)•Architecture–Throughput of NIDS, targeting 10s of Gbps•E.g., 32 nsec for 40 byte TCP SYN packet–Resilient to attacksArchitecture of Network IDSPacket capture libpcapPacket capture libpcapTCP reassemblyTCP reassemblyProtocol identificationProtocol identificationPacket streamPacket streamSignature matchingSignature matching(& protocol parsing when needed)(& protocol parsing when needed)Firewall/Net IPS VS Net IDS•Firewall/IPS–Active filtering–Fail-close•Network IDS–Passive monitoring–Fail-openFWIDSRelated Tools for Network IDS (I)•While not an element of Snort, wireshark (used to called Ethereal) is the best open source GUI-based packet viewer•www.wireshark.org offers:–Support for various OS: windows, Mac OS.•Included in standard packages of many different versions of Linux and UNIX•For both wired and wireless networksRelated Tools for Network IDS (II)•Also not an element of Snort, tcpdump is a well-established CLI packet capture tool –www.tcpdump.org offers UNIX source–http://www.winpcap.org/windump/ offers windump, a Windows port of tcpdumpCase Study: Snort IDSBackup SlidesProblems with Current IDSs•Inaccuracy for exploit based signatures•Cannot recognize unknown anomalies/intrusions•Cannot provide quality info for forensics or situational-aware analysis–Hard to differentiate malicious events with unintentional anomalies•Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration–Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.Limitations of Exploit Based Signature1010101101111011111110000010111Our networkTraffic
View Full Document
Unlocking...