CS530Intrusion DetectionBill Chenghttp://merlot.usc.edu/cs530-s10 CSCI 530, Spring 2010 Copyright © William C. Cheng T1CSCI 530, Spring 2010 Copyright © William C. Cheng T2Intrusion Detectionor even better, before they stop workinge.g., is this employee selling information?Security enforcement mechanisms are not foolproof, so weneed a way of knowing when they are not workingWe need ways to detect insider misusedetect suspecious activitiesCSCI 530, Spring 2010 Copyright © William C. Cheng T3Taxonomy for Intrusion Detectionmisuse detection - look for "bad" bahaviorse.g., virus checker, spam filters - need to download new"definition files"What is detectedanomaly detection - look at behavior and detect out ofprofile activitiesnetwork basedWhere detectedhost based - system logsreal timeWhen attack is detectedafter the fact / post mortemapplication basedneed to compare against a baselineCSCI 530, Spring 2010 Copyright © William C. Cheng T4Basis for Detecting Attackactivity conforms to statistically predictable patternsSystems operating normallyactions do not include attempts to subvert policyactions of processes conform to the policies regardingwhat they are allowed to doe.g., when system is under attack, will see unusual amountof denied accessesCSCI 530, Spring 2010 Copyright © William C. Cheng T5Rating ID Systemsnormal activity flagged as intrusionaffects adminstrator workloadFalse positivese.g., port scanners - if you don’t have thevulnerability, do not raise alarme.g., spam filteringattacks that are not detectedFalse negativestoo many of these - denial of service on yourselfI filter out all HTML-only e-mails"the boy who cried wolf"compare current characteristics and behavior againstbaseline and determine if it’s within tolerance CSCI 530, Spring 2010 Copyright © William C. Cheng T6Anomaly Detectionanalyze baseline characteristics of system or userbehavior and recordneed to have an abstraction or a modelHow it worksflag differencesdeciding how to characterize behavior so that changesreflect intrusions and not normal changes in activitiesWhy it is hardor is it just a statistical fluctuationCredit card companies do this all the timeCSCI 530, Spring 2010 Copyright © William C. Cheng T7Metricsnumber of failed access attemptse.g., can be used to detect misuses from withinThreshold metricsbandwidth consumedrequires training by analyzing normal traces (system logs)State change probabilities (Markov models)looking for transitions that don’t seem to follow the normalpatterne.g., confiscate ATM card after 3 bad PINsthere are systems that can be trained while monitoringCSCI 530, Spring 2010 Copyright © William C. Cheng T8Misuse Detectionrule basede.g., if A is followed by B and if B is followed by C, flag itWhether activities or code is violate site policysignature basedcan only detect attacks known in advanceProblemsvirus checkers are usually signature basedtend to have fewer false positivesStrengthsmany more false negatives (subject to definition)can protect against write to boot sectorvendor’s definition?CSCI 530, Spring 2010 Copyright © William C. Cheng T9Collecting Input DataAudit vs. Intrusion DetectionNetwork based IDHost based IDApplication based IDCSCI 530, Spring 2010 Copyright © William C. Cheng T10Network Based IDlistening to network traffic as it goes by a sensor nodecould be placed in routers or other network componentsOften based on network sniffingbe careful with switched Ethernetissuesplacemente.g., SNORT - packet snifferloadencrypted traffic (such as IPSec)(cont...)wireless channel can be asymmetricmay log only summary information to reduce loade.g., IP tracebackCSCI 530, Spring 2010 Copyright © William C. Cheng T11Network Based ID (Cont...)issues (cont...)determining intente.g., if a message to port 24 (SMTP) does not look likee-mail, flag ite.g., in HTTP, turn on encryption (but don’t reallyencrypt) - ID will ignore these messages!can use this "feature" for tunnelingCSCI 530, Spring 2010 Copyright © William C. Cheng T12Host Based IDonly get what applications already put into logsWe have better understanding of theseScan system and application logsReport on system stateReport activity to ID systemIssuesmight not understand the intent of an actionbecause hosts are usually not an open system (unlikenetworks)e.g., load, who are logged inbut break-ins can be covered up easier (unlike networks)CSCI 530, Spring 2010 Copyright © William C. Cheng T13Application Based IDbased on a policyApplication determines what to report to ID systemequires application involvement (some applications willnot report)authorization functions like GAA-API can help address this limitationDrawbacksapplication understands the objects and entities to whichpolicies applyBenefitsCSCI 530, Spring 2010 Copyright © William C. Cheng T14Issues In Intrusion Detectioninteroperability issuesCollecting data on and reporting eventsto reduce network traffic consumedconsider overheadReducing datasummarize datafinding relationshipswhat have you filtered out that shouldn’t be filtered out?e.g., 10 of the following messages have been seenlanguages, e.g. CIDFCSCI 530, Spring 2010 Copyright © William C. Cheng T15Components of ID Systemsgather raw dataCollectorsreduces incoming traffic and finds relationshipsDirectoraccepts data from director and takes appropriate actionNotifierCSCI 530, Spring 2010 Copyright © William C. Cheng T16Advanced IDS Modelscombining host and network monitoring (DIDS)Distributed detectionautonomous agents (Crosbie and Spafford)COSSACK project at USC/ISI - professor PapadopoulosCSCI 530, Spring 2010 Copyright © William C. Cheng T17Intrusion Responseit’s a marketing buzzwordIntrusion preventionhow to react when an intrusion is detected (or an attemptof intrusion)Intrusion responseCSCI 530, Spring 2010 Copyright © William C. Cheng T18Possible Responseschange firewall rulesdone with worms - no outgoing traffic from this nodeNotify administratorSystem or network lockdownPlace attacker in controlled environmentSlow the system for offending processesKill the processquarantineuse a Honeypot to attract unsuspecting attackercommonly used for SMTP servers - if spam is detected,slow down the connectionoften it is more desirable to suspend the process so youcan examine memoryCSCI 530, Spring 2010 Copyright © William C. Cheng T19Phase of Response [Bishop 2003]PreparationIdentificationContainmentEradicationRecoveryFollow upCSCI 530, Spring 2010 Copyright ©
View Full Document
Unlocking...