1Lecture 15Page 1CS 239, Winter 2005Intrusion DetectionCS 239Computer SoftwareMarch 9, 2005Lecture 15Page 2CS 239, Winter 2005Outline• Introduction• Characteristics of intrusion detection systems• Some sample intrusion detection systemsLecture 15Page 3CS 239, Winter 2005Introduction• Many mechanisms exist for protecting systems from intruders–Access control, firewalls, authentication, etc.• They all have one common characteristic:–They don’t always workLecture 15Page 4CS 239, Winter 2005Intrusion Detection• Work from the assumption that sooner or later your security measures will fail• Try to detect the improper behavior of the intruder who has defeated your security• Inform the system or system administrators to take actionLecture 15Page 5CS 239, Winter 2005Why Intrusion Detection?• If we can detect bad things, can’t we simply prevent them?• Possibly not:–May be too expensive–May involve many separate operations–May involve things we didn’t foreseeLecture 15Page 6CS 239, Winter 2005For Example,• Your intrusion detection system regards setting uid on root executables as suspicious– Yet the system must allow the system administrator to do so• If the system detects several such events, it becomes suspicious– And reports the problem2Lecture 15Page 7CS 239, Winter 2005Couldn’t the System Just Have Stopped This?• Perhaps, but -• The real problem was that someone got root access–The changing of setuid bits was just a symptom• And under some circumstances the behavior is legitimateLecture 15Page 8CS 239, Winter 2005Intrusions• “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource”1• Which covers a lot of ground–Implying they’re hard to stop1Heady, Luger, Maccabe, and Servilla, “The Architecture of a Network Level Intrusion Detection System,” Tech Report, U. of New Mexico, 1990.Lecture 15Page 9CS 239, Winter 2005Is Intrusion Really a Problem?• Is intrusion detection worth the trouble?• Yes, at least for some installations• Consider the experience of NetRangerintrusion detection usersLecture 15Page 10CS 239, Winter 2005The NetRanger Data• Gathered during 5 months of 1997• From all of NetRanger’s licensed customers• A reliable figure, since the software reports incidents to the companyLecture 15Page 11CS 239, Winter 2005NetRanger’s Results• 556,464 security alarms in 5 months• Some serious, some not– “Serious” defined as attempting to gain unauthorized access• For NetRanger customers, serious attacks occurred .5 to 5 times per month– Electronic commerce sites hit mostLecture 15Page 12CS 239, Winter 2005Kinds of Attacks Seen• Often occurred in waves–When someone published code for a particular attack, it happened a lot–Because of “Script Kiddies”• 100% of web attacks were on web commerce sites3Lecture 15Page 13CS 239, Winter 2005Where Did Attacks Come From?• Just about everywhere• 48% from ISPs• But also attacks from major companies, business partners, government sites, universities, etc.• 39% from outside US–Only based on IP address, thoughLecture 15Page 14CS 239, Winter 2005Kinds of Intrusions• External intrusions• Internal intrusionsLecture 15Page 15CS 239, Winter 2005External Intrusions• What most people think of • An unauthorized (usually remote) user trying to illicitly access your system• Using various security vulnerabilities to break in• The typical case of a hacker attackLecture 15Page 16CS 239, Winter 2005Internal Intrusions• An authorized user trying to gain privileges beyond those he is entitled to• No longer the majority of problems–But often the most serious ones• More dangerous, because insiders have a foothold and know moreLecture 15Page 17CS 239, Winter 2005Basics of Intrusion Detection• Watch what’s going on in the system• Try to detect behavior that characterizes intruders• While avoiding improper detection of legitimate access• Hopefully all at a reasonable costLecture 15Page 18CS 239, Winter 2005Intrusion Detection and Logging• A natural match• The intrusion detection system examines the log–Which is being kept, anyway• Secondary benefits of using the intrusion detection system to reduce the log4Lecture 15Page 19CS 239, Winter 2005On-Line Vs. Off-Line Intrusion Detection• Intrusion detection mechanisms can be complicated and heavy-weight• Perhaps better to run them off-line–E.g., at nighttime• Disadvantage is that you don’t catch intrusions as they happenLecture 15Page 20CS 239, Winter 2005Failures In Intrusion Detection• False positives– Legitimate activity identified as an intrusion• False negatives– An intrusion not noticed• Subversion errors– Attacks on the intrusion detection systemLecture 15Page 21CS 239, Winter 2005Desired Characteristics in Intrusion Detection• Continuously running• Fault tolerant• Subversion resistant• Minimal overhead• Must observe deviations• Easily tailorable• Evolving• Difficult to foolLecture 15Page 22CS 239, Winter 2005Host Intrusion Detection• Run the intrusion detection system on a single computer• Look for problems only on that computer• Often by examining the logs of the computerLecture 15Page 23CS 239, Winter 2005Advantages of the Host Approach• Lots of information to work with • Only need to deal with problems on one machine• Can get information in readily understandable formLecture 15Page 24CS 239, Winter 2005Network Intrusion Detection• Do the same for a local (or wide) area network• Either by using distributed systems techniques• Or (more commonly) by sniffing network traffic5Lecture 15Page 25CS 239, Winter 2005Advantages of Network Approach• Need not use up any resources on users’ machines• Easier to properly configure for large installations• Can observe things affecting multiple machinesLecture 15Page 26CS 239, Winter 2005Network Intrusion Detection and Data Volume• Lots of information passes on the network• If you grab it all, you will produce vast amounts of data• Which will require vast amounts of time to processLecture 15Page 27CS 239, Winter 2005Network Intrusion Detection and Sensors• Use programs called sensors to grab only relevant data• Sensors quickly examine network traffic– Record the relevant stuff– Discard the rest• If you design sensors right, greatly reduces the problem of data volumeLecture 15Page 28CS 239, Winter