Intrusion Detection Systems CSE 3043 Computer Security

Definitions
Intrusion
A set of actions aimed to compromise p the security y goals, namely
Integrity, confidentiality, or availability, of a computing and networking resource

Intrusion detection
The process of identifying and responding to intrusion activities Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent intent.

Why y Intrusion Detection?

Computer Networks wage a constant struggle against intruders and attackers. y grow g Attacks on distributed systems stronger and more prevalent everyday. Intrusion detection methods are a key to controlling and potentially eradicating attacks on a system.

Intrusion Detection Defined

Clear Definition: An I A Intrusion t i detection d t ti system t pertains t i to t the th methods used to identify an attack on a computer or computer network network. Formal Definition: [Intrusion Detection] is the art of detecting inappropriate, incorrect, or anomalous activity. -Dirk Lehmann, Siemens CERT

Elements of Intrusion Detection

Primary assumptions:
System activities are observable Normal and intrusive activities have distinct evidence

Components of intrusion detection systems:

From an algorithmic g perspective p p :
Features - capture intrusion evidences Models - piece evidences together

From a system architecture perspective:

Audit data processor, knowledge base, decision engine, alarm generation and responses

Components of Intrusion D t ti System Detection S t

system activities are observable Audit Records Audit Data Preprocessor Activity Data Detection Models Detection Engine Alarms Decision Table Decision Engine normal and intrusive activities have distinct evidence Action/Report

Key y Performance Metrics

Algorithm
Alarm: A; Intrusion: I Detection (true alarm) rate: P(A|I)
False negative rate P(A|I)

False alarm rate: P(A|I)

True negative rate P(A|I) P( A| I)

Intrusion Detection Approaches pp

Modeling Features F t : evidences id extracted t t df from audit dit data d t Analysis approach: piecing the evidences together
Misuse Mi detection d i ( k signature-based) (a.k.a. i b d) Anomaly detection (a.k.a. statistical-based)

Deployment: Network-based or Host-based

 Different ways of classifying an IDS IDS based on

anomaly detection signature based misuse host based network based

Misuse Detection
pattern matching t hi Intrusion P Patterns activities intrusion

Example: if (src_ip == dst_ip) then land attack Limitation: Cant detect new attacks

Signature-Based Signature Based Intrusion Detection Systems Watch for patterns of events specific to known and documented attacks Typically connected to a large database which houses attack signatures Presumed to be able to detect only attacks known to its database Performance lag when intrusion patterns match several attack signatures

Intrusion Detection Schemes (2)

Pattern-Matching Pattern Matching Detection (PMD)
Also known as signature signature-based based intrusion detection.

the term signature refers to a set of conditions that, when met, indicate some type of intrusion event. PMD detects a pattern which matches closely to the activity that is typical of a network intrusion, so if a pattern or set of events match this may indicate a specific attack on the system that has been previously documented documented. PMD usually associated with misuse intrusion (attacks from inside). Pattern Matching g looks for a fixed sequence q of bytes y within a single g packet, and traffic is filtered to a source or destination port. Informit.com

Pattern-Matching Detection (PMD)

Some Disadvantages: Pattern Matching may have difficulty detecting attacks to well-known ports. PMD may result in an inordinate amount of false positives if the matching is based on a pattern tt that th t is i not t unique. i PMD is only as good as the database of attack signatures used for comparison.

Anomaly based IDS

This IDS models the normal usage of the network as a noise characterization. Anything distinct from the noise is assumed to be an intrusion activity. y
E.g flooding a host with lots of packet.

The primary primar strength is its ability abilit to recogni recognize e novel attacks.
A Assumes th that t i intrusions t i will ill be b accompanied i d by b manifestations if t ti that are sufficiently unusual so as to permit detection. generate many y false alarms and hence compromise p the These g effectiveness of the IDS.

Anomaly Detection
90 80 70 60 50 40 30 20 10 0 CPU Process Size

probable b bl intrusion
normal p profile abnormal

activity measures

Problem: Relatively high false positive rate anomalies can just be new normal activities.

Anomaly-Based Anomaly Based Intrusion Detection Systems

Identify intrusions by detecting anomalies Works on notion that attack behavior differs enough from normal normal user behavior behavior System administrator defines the baseline of normal behavior Ability to detect new attacks Issues (False Positives, Heavy processing overheads, Time to create statistically significant baselines)

Intrusion Detection Schemes (1)

St ti ti l Anomaly Statistical A l Detection D t ti (SAD)
SAD refers to using statistical profiles to identify anomalies within the network the system y keeps p track of activities, and reports abnormal activity as an attack on the system.

H ? How? The system keeps two distinct sets of data a long-term usage data profile and a short-term observed usage data profile. fil The long-term usage data profile is a combination of the usage patterns that were detected in the long run and vise versa. Long-term and short-term usage data are compared, and standard deviations are computed. If the deviations are statistically significant, then they are reported as potential attacks.

Statistical Anomaly Detection (SAD)

Pros: Detection of attacks that would be missed by other detection mechanisms with applications confined to specific types of traffic that can be easily measured measured. Cons: Deviations from baseline usage patterns can actually be false positives. Attack Att k reporting ti is i h hard dt to i interpret t t or t turn into i t an action. ti Traffic is large and constantly changing ->difficult to establish a baseline. Attacks can be contained within the baseline with no one the wiser. Attackers can train the system: attack traffic seen as normal false alarms. l

(Host-Based vs. Network-Based) ( ) Systems y ( (1) )

Host Based System (HIDS) Run on distinct hosts or devices within the network. Monitors the incoming and outgoing packets behavior, and reports any abnormal activity detected detected. System logs (syslog), the integrity of the file system integrity g y( (fingerprinting), g p g), and p process execution are examined, such as the TCPWrappers and the network stack. I In a host-based h tb d system, t th the [i [intrusion t i d detection t ti system] t ] examines at the activity on each individual computer or host. - Webopedia.com

Host-Based Host Based IDSs

Using OS auditing mechanisms
E.G., logs all direct or indirect events generated by a user

Monitoring user activities Monitoring g executions of system y programs p g

Host/Applications based IDS

The host operating p g system y or the application pp logs in the audit information. These audit information includes events like the use of identification and authentication mechanisms (logins etc.) , file opens and program executions executions, admin activities etc etc. This audit is then analyzed to detect trails of intrusion. intrusion

Drawbacks of the host based IDS

The kind of information needed to be logged in is a matter of experience. Unselective logging of messages may greatly increase the audit and analysis burdens. Selective logging runs the risk that attack manifestations could be missed.

Strengths of the host based IDS

Attack verification System specific activity Encrypted and switch environments g key y components Monitoring Near Real-Time detection and response. No additional hardware

(Host-Based vs. Network-Based) Systems (2)

Network-based system (NIDS)
The individual packets flowing through a network are analyzed. NIDS can detect suspicious packets that are d i designed dt to b be overlooked l k db by a fi firewalls ll crude d filtering rules. The network traffic is examined for pattern matching t hi among packets, k t and d th the fl flow of f the th network is also examined.

Network IDSs
Deploying sensors at strategic locations
E.G., E G Packet sniffing via tcpdump at routers

Inspecting network traffic

Watch for violations of protocols and unusual connection patterns

Monitoring user activities

Look into the data portions of the packets for malicious command sequences

May be easily defeated by encryption

Data portions and some header information can be encrypted

Network based IDS

This IDS looks for attack signatures in network traffic via a promiscuous interface. A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition g module. This helps p to filter out known un-malicious traffic.

Strengths of Network based IDS

Cost of ownership reduced Packet analysis Evidence removal Real time detection and response Malicious intent detection Complement and verification Operating system independence

What is a Honeypot?
An information system y resource whose value lies in unauthorized or illicit use of that resource [Spitzner] Honeypot is put up for several reasons: To watch what attackers do, in order to learn about new attacks tt k To lure an attacker to a place in which one may be able to learn enough to identify and stop the attacker To distract adversaries from more valuable machines on a network

Uses of Honeypots

Prevent Attacks
Network Security

Studying traffic patterns Determine new hacker techniques

D t t Att Detect Attacks k

Spam Prevention Credit card fraud identification

Advantages & Disadvantages

Advantages: g
Simple to create and maintain Collect information of great value Reduce false positives C Capture t any activity, ti it can work k in i IPv6/Encrypted IP 6/E t d Network

Disadvantage:
Can only track activity that directly interacts with them

Module
Outline Syllabus
Concept of Secure Computing, Domain of Protection, Social Engineering, Attacks and Defenses, Defining Security Policy, Classical Ciphers, Encryption and Decryption, Symmetric and Asymmetric Ciphers, Operating System Holes, Holes Application Security (Web, e-mail, Databases), Viruses, Privacy, and Digital Rights Management, Intrusion Detection Systems, Secure Protocols, l Security of Middleware, Software Protection, Web Security y and Wireless W Network Security. y.
31