Intrusion Detection/Prevention Systems

Intrusion Detection/Prevention Systems

Definitions Intrusion – A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and networking resource Intrusion detection – The process of identifying and responding to intrusion activities Intrusion prevention – Extension of ID with exercises of access control to protect computers from exploitation

Elements of Intrusion Detection Primary assumptions: – System activities are observable – Normal and intrusive activities have distinct evidence Components of intrusion detection systems: – From an algorithmic perspective: Features - capture intrusion evidences Models - piece evidences together – From a system architecture perspective: Various components: audit data processor, knowledge base, decision engine, alarm generation and responses

Components of Intrusion Detection System Audit Records system activities are observable Audit Data Preprocessor Activity Data Detection Models normal and intrusive activities have Detection Engine distinct evidence Alarms Decision Table Decision Engine Action/Report

Intrusion Detection Approaches Modeling – Features: evidences extracted from audit data – Analysis approach: piecing the evidences together Misuse detection (a.k.a. signature-based) Anomaly detection (a.k.a. statistical-based) Deployment: Network-based or Host-based – Network based: monitor network traffic – Host based: monitor computer processes

Misuse Detection pattern matching Intrusion Patterns intrusion activities Example: if (src ip dst ip) then “land attack” Can’t detect new attacks

Anomaly Detection 90 80 70 60 activity 50 measures40 30 20 10 0 Any problem ? probable intrusion normal profile abnormal CPU Process Size Relatively high false positive rate Anomalies can just be new normal activities. Anomalies caused by other element faults E.g., router failure or misconfiguration, P2P misconfiguration

Host-Based IDSs Using OS auditing mechanisms – E.G., BSM on Solaris: logs all direct or indirect events generated by a user – strace for system calls made by a program (Linux) Monitoring user activities – E.G., analyze shell commands Problems: user dependent – Have to install IDS on all user machines ! – Ineffective for large scale attacks

The Spread of Sapphire/Slammer Worms

Network Based IDSs Internet Gateway routers Our network Host based detection At the early stage of the worm, only limited worm samples. Host based sensors can only cover limited IP space, which might have scalability issues. Thus they might not be able to detect the worm in its early stage

Network IDSs Deploying sensors at strategic locations – E.G., Packet sniffing via tcpdump at routers Inspecting network traffic – Watch for violations of protocols and unusual connection patterns Monitoring user activities – Look into the data portions of the packets for malicious code May be easily defeated by encryption – Data portions and some header information can be encrypted – The decryption engine may still be there, especially for exploit

Key Metrics of IDS/IPS Algorithm – Alarm: A; Intrusion: I – Detection (true alarm) rate: P(A I) False negative rate P( A I) – False alarm (aka, false positive) rate: P(A I) True negative rate P( A I) Architecture – Throughput of NIDS, targeting 10s of Gbps E.g., 32 nsec for 40 byte TCP SYN packet – Resilient to attacks

Architecture of Network IDS Signature matching (& protocol parsing when needed) Protocol identification TCP reassembly Packet capture libpcap Packet stream

Firewall/Net IPS VS Net IDS Firewall/IPS – Active filtering – Fail-close Network IDS – Passive monitoring – Fail-open IDS FW

Related Tools for Network IDS (I) While not an element of Snort, Ethereal is the best open source GUI-based packet viewer www.ethereal.com offers: – Windows – UNIX, e.g., www.ethereal.com/download.html – Red Hat Linux RPMs: ftp.ethereal.com/pub/ethereal/rpms/

Related Tools for Network IDS (II) Also not an element of Snort, tcpdump is a well-established CLI packet capture tool – www.tcpdump.org offers UNIX source – http://www.winpcap.org/windump/ offers windump, a Windows port of tcpdump windump is helpful because it will help you see the different interfaces available on your sensor

Case Study: Snort IDS

Problems with Current IDSs Inaccuracy for exploit based signatures Cannot recognize unknown anomalies/intrusions Cannot provide quality info for forensics or situational-aware analysis – Hard to differentiate malicious events with unintentional anomalies Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration – Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.

Limitations of Exploit Based Signature Signature: 10.*01 1010101 Internet Traffic Filtering 10111101 X X 11111100 00010111 Polymorphism! Polymorphic worm might not have exact exploit based signature Our network

Vulnerability Signature Internet Vulnerability signature traffic filtering X X Our network X X Vulnerability Work for polymorphic worms Work for all the worms which target the same vulnerability

Example of Vulnerability Signatures At least 75% vulnerabilities are due to buffer overflow Sample vulnerability signature Field length corresponding to vulnerable buffer certain threshold Intrinsic to buffer overflow vulnerability and hard to evade Overflow! Protocol message Vulnerable buffer

Next Generation IDSs Vulnerability-based Adaptive - Automatically detect & generate signatures for zero-day attacks Scenario-based for forensics and being situational-aware – Correlate (multiple sources of) audit data and attack information

Counting Zero-Day Attacks Network Tap TCP 25 Known Attack Filter Flow Classifier Protocol Classifier TCP 53 TCP 80 . . . Suspicious Traffic Pool TCP 137 UDP 1434 Core algorithms Signatures Real time Normal traffic reservoir Honeynet/ darknet, Statistical detection Normal Traffic Pool Policy driven

Security Information Fusion Internet Storm Center (aka, DShield) has the largest IDS log repository Sensors covering over 500,000 IP addresses in over 50 countries More w/ DShield slides

Backup Slides

Requirements of Network IDS High-speed, large volume monitoring – No packet filter drops Real-time notification Mechanism separate from policy Extensible Broad detection coverage Economy in resource usage Resilience to stress Resilience to attacks upon the IDS itself!

Architecture of Network IDS Policy script Alerts/notifications Policy Script Interpreter Event control Event stream Event Engine tcpdump filters Filtered packet stream libpcap Packet stream Network