Intrusion Detection State of the Art/PracticeIntroductionState of PracticeOS IDS - the two ApproachesSlide 5Audit RecordsUser ProfilesSlide 8SignaturesOS IDS -- a Particular ProblemAn OS IDS is inherently limited by the semantics of the OSAlarmsIntrusion DetectionState of the Art/PracticeAnita JonesUniversity of Virginia10/06 2Introduction•Intrusion Detection–determining whether or not some entity, the intruder, has attempted to gain, or has gained unauthorized access to the system•Intruder Types–External–Internal10/06 3State of Practice •Assume the Operating System as the basis•Use what an OS knows about -- OS semantics–users, processes, devices–controls on access and resource usage–network traffic management•Record events in the life of the OS•Use OS audit recordsOS Intrusion Detection Systems -- OS IDS10/06 4OS IDS - the two Approaches•Anomaly Detection–assume that behavior can be characterized•statically -- by known, fixed data encoding•dynamically -- by patterns of event sequences or by threshold limits on event occurrences (e.g. system calls)–detect errant behavior that deviates from expected, normal behavior•Misuse Detection–look for known patterns (signatures) of intrusion, typically as the intrusion unfolds10/06 5OS IDS - the two Approaches•Anomaly Detection–Static: e.g. Tripwire, Self-Nonself–Dynamic: e.g. Rule-based (thresholds) –see GrIDS•Misuse Detection–e.g. USTAT•Networks are handled as “extensions”–I.e. Use same two approaches listed above–Centralized: e.g. DIDS, NADIR, NSTAT–Decentralized: e.g. GrIDS, EMERALD10/06 6Audit Records•Most IDS depend on audit records•What do OS audit records record?•Can the OS assure integrity of the audit records?•What techniques would an intruder use to cover his tracks that might be found in an audit trail? “Clandestine intruders”•Forensics10/06 7User Profiles•What can you use to characterize user activity?•Measures (absolute amounts; fluctuation; duration:–use of memory–use of processors–network traffic•Absolute measures•Statistical measures -- thresholdsCPU usage count elapsed CPU execution -- secondsI/O usage # of devices; duration of use of each; # commandsLocation of Use # connection from each locationMailer Usage # invocationsEditor Usage # invocationsCompiler Usage # invocationsShell Usage # invocationsDirectory Usage # directories accessed; # accesses per directoryCommands Used # command; # repetitions per commandDirectories Created # createdDirectories Read # accessed; # at end of pathDirectories Modified # directories changed; # mods/dir.; size increase decreaseFile Usage # accesses; # mods; magnitude of modsTemp files created # average size; standard deviation of sizeUser Ids accessed # time ID is changedSystem errors #System Errors by Type # per typeAudit Record Activity categories of records; # of each category; # per hourHourly activity patterns of CPU, files, memory used per hourTime of day use pattern of average on-line use per dayRemote network activity # packets sent; packets per hourNetwork activity by Hosts hosts contactedLocal Network activity traffic within local networkLocal network activity by host traffic by host inside local network10/06 9Signatures•Signature is some data or pattern of data that captures distinctive behavior•Many IDS systems depend upon the development of a signature•Large variety•Formats of signatures may differ•What is “summarized”?10/06 10OS IDS -- a Particular Problem•OS IDS has problems when –anomalous & normal behavior can’t be distinctly characterized–OS IDS has no pattern for a newly invented intrusion (misuse)•But, the greatest problem is–to distinguish abusive internal (legit user) activityAn OS IDSis inherently limitedby the semantics of the OSYou can’t talk about somethingfor which you have no words!10/06 12Alarms•Who do you call?•How do they respond?•Quality of the IDS:–False positives–False