Network Intrusion Detection: Capabilities & LimitationsOutlineWhat Problem Are We Trying To Solve?Types of ThreatsSlide 5Slide 6What Are They After?What can you learn watching a network link?Tapping links, con’t:Problems with passive monitoringStyles of intrusion detection — Signature-basedSignature-based, con’t:Styles of intrusion detection — Anomaly-detectionStyles of intrusion detection — Specification-basedSome general considerations about the problem spaceGeneral NIDS StructureGeneral NIDS StructureSlide 18Slide 19Slide 20A Stitch in Time: Prevention instead of DetectionThe Problem of EvasionSlide 23Slide 24Slide 25The Problem of Evasion, con’tSlide 27Slide 28Slide 29Slide 30Evading Detection Via Ambiguous TCP RetransmissionSlide 32The Problem of CrudCountering Evasion-by-AmbiguityDetecting activity — scannersDetecting activity — scanners, con’tDetecting activity — stepping stonesDetecting stepping stonesSlide 39Some Summary PointsNetwork Intrusion Detection: Capabilities & LimitationsVern PaxsonInternational Computer Science InstituteLawrence Berkeley National [email protected] 16, 20052 OutlineWhat problem are we trying to solve?Why network intrusion detection? Why not?Styles of approaches.Architecture of a network intrusion detection system (NIDS).The fundamental problem of evasion.Detecting activity: scanners, stepping stones.3 What Problem Are We Trying To Solve?A crucial basic question is What is your threat model?What are you trying to protect?Using what sort of resources?Against what sort of adversary who has what sort of goals & capabilities?It’s all about shades of grey, policy decisions, limited expenditure, risk management4 Types of ThreatsIn general, two types of threats: insider and outsider.5 Types of ThreatsIn general, two types of threats: insider and outsider.Insider threat:Hard to detect hard to quantifyCan be really damagingIn many contexts, apparent prevalence: rare6 Types of ThreatsIn general, two types of threats: insider and outsider.Insider threat:Hard to detect hard to quantifyCan be really damagingIn many contexts, apparent prevalence: rareOutsider threat:Attacks from over the Internet: ubiquitous.Internet sites are incessantly probed:Background radiation: on average, Internet hosts are probed every 90 secMedium-size site: 10,000’s of remote scanners each day.What do they scan for? A wide and changing set of services/vulnerabilities, attacked via “auto-rooters” or worms.Increasingly, not just “over the Internet”:Laptops, home machines erode notion of “perimeter”7 What Are They After?Short answer: Not Us.Most attacks are not targeted.They seek bragging rights:E.g., via IRC or Web page defacementThey seek zombies for:DDOS slavesSpammingBots-for-saleFinding more targetsThey seek more of themselves (worms).Most don’t cause damage beyond cleanup costs.But: this is changing with the commercialization of malware8 What can you learn watching a network link?Far and away, most traffic travels across the Internet unencrypted.Communication is layered with higher layers corresponding to greater semantic content.The entire communication between two hosts can be reassembled: individual packets (e.g., TCP/IP headers), application connections (TCP byte streams), user sessions (Web surfing).You can do this in real-time.9 Tapping links, con’t:Appealing because it’s cheap and gives broad coverage.You can have multiple boxes watching the same traffic.Generally (not always) undetectable.Can also provide insight into a site’s general network use.10 Problems with passive monitoringReactive, not proactiveHowever, this is changing w/ intrusion prevention systemsAssumes network-oriented (often “external”) threat model.For high-speed links, monitor may not keep up. Accordingly, monitors often rely on filtering.Very high speed: beyond state-of-the-art.Depending on “vantage point”, sometimes you see only one side of a conversation (especially inside backbone).Against a skilled opponent, there is a fundamental problem of evasion: confusing / manipulating the monitor.11 Styles of intrusion detection — Signature-basedCore idea: look for specific, known attacks.Example:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,establishedcontent:"|eb2f 5feb 4a5e 89fb 893e 89f2|"msg:"EXPLOIT x86 linux samba overflow"reference:bugtraq,1816reference:cve,CVE-1999-0811classtype:attempted-admin12 Signature-based, con’t:Can be at different semantic layers, e.g.: IP/TCP header fields; packet payload; URLs.Pro: good attack libraries, easy to understand results.Con: unable to detect new attacks, or even just variants.13 Styles of intrusion detection — Anomaly-detectionCore idea: attacks are peculiar.Approach: build/infer a profile of “normal” use, flag deviations.Example: “user joe only logs in from host A, usually at night.”Note: works best for narrowly-defined entitiesThough sometimes there’s a sweet spot, e.g., content sifting or scan detectionPro: potentially detects wide range of attacks, including novel.Con: potentially misses wide range of attacks, including known.Con: can potentially be “trained” to accept attacks as normal.14 Styles of intrusion detection — Specification-basedCore idea: codify a specification of what a site’s policy permits; look for patterns of activity that deviate.Example: “user joe is only allowed to log in from host A.”Pro: potentially detects wide range of attacks, including novel.Pro: framework can accommodate signatures, anomalies.Pro: directly supports implementing a site’s policy.Con: policies/specifications require significant development & maintenance.Con: hard to construct attack libraries.15 Some general considerations about the problem spaceSecurity is about policy.The goal is risk management, not bulletproof protection.All intrusion detection systems suffer from the twin problems of false positives and false negatives.These are not minor, but an Achilles heel.Scaling works against us: as the volume of monitored traffic grows, so does its diversity.Much of the state of the art is at the level of car alarmsSure, for many attackers, particularly unskilled ones, they go off ……
View Full Document