Documente Academic
Documente Profesional
Documente Cultură
Attack Detection
Categories
Detection quality
[NetSec], WS 2007/2008
15.1
Introduction
Definition: Intrusion
An Intrusion is unauthorized access to and/or activity in an information
system.
[NetSec], WS 2007/2008
15.2
Introduction
Intrusion Detection
Misuse Detection: Tries to detect misuse by insiders, e.g. users that try to
access services on the internet by bypassing security directives
Intrusion Prevention
[NetSec], WS 2007/2008
15.3
Introduction
[NetSec], WS 2007/2008
15.4
Attack Taxonomy
Source: [Mircovic2004]
[NetSec], WS 2007/2008
15.5
Intrusion Detection
Detection techniques
Signature-based or knowledge-based detection
Anomaly detection
Response
Counteracting an attack
Evaluation
False-positive rate
False-negative rate
[NetSec], WS 2007/2008
15.6
Four dimensions
Host
based
Anomaly
detection
Knowledge
based
Network
based
[NetSec], WS 2007/2008
15.7
[NetSec], WS 2007/2008
15.8
Internet
DMZ
LAN
[NetSec], WS 2007/2008
15.9
Knowledge-based Detection
Working principles
Pros
Cons
Scan for attacks using well known vulnerabilities, e.g. patterns to attack IIS web
server or MSSQL databases
Scan for pre-defined numbers of ICMP, TCP SYN, etc. packets
Patterns can be specified at each protocol level
Network protocol (e.g. IP, ICMP)
Transport protocol (e.g. TCP, UDP)
Application protocol (e.g. HTTP, SMTP)
Examples
Snort, Bro
[NetSec], WS 2007/2008
15.10
[NetSec], WS 2007/2008
15.11
Anomaly Detection
Working principles
Pros
Cons
Examples
PHAD/ALAD, Emerald
[NetSec], WS 2007/2008
15.12
Anomaly Identification
Source: [Barford2001]
[NetSec], WS 2007/2008
15.13
Anomaly Identification
Source: [Barford2001]
[NetSec], WS 2007/2008
15.14
Anomaly Identification
Source: [Barford2001]
[NetSec], WS 2007/2008
15.15
Source: [Estevez-Tapiador2004]
[NetSec], WS 2007/2008
15.16
Detection Quality
Source: [Estevez-Tapiador2004]
[NetSec], WS 2007/2008
15.17
Classification Criteria
Source: [Estevez-Tapiador2004]
[NetSec], WS 2007/2008
15.18
Signal analysis
Source: [Barford2002]
Source: [Ohsita2004]
Immunological approach
[NetSec], WS 2007/2008
15.19
PHAD
Protocol analysis
learns normal ranges of values for each header field
(link, network, transport layer)
scorefield = t n/r
t
n
r
[NetSec], WS 2007/2008
15.20
ALAD
Extension to PHAD
Five models:
[NetSec], WS 2007/2008
15.21
IDMEF
RFC 4765
Object-oriented approach
XML-based encoding
[NetSec], WS 2007/2008
15.22
IDMEF
Message types
Heartbeat message
Alert message
Event report
[NetSec], WS 2007/2008
15.23
Advanced Systems
Commercial systems:
SNORT
Bro
D-WARD
COSSACK
Prelude
DIADEM Firewall
CATS
Cisco IDS
Juniper NetScreen
Enterasys Intrusion Defense
NFR NID-310
McAfee IntruShield
ISS RealSecure
Benchmarking
[NetSec], WS 2007/2008
15.24
Snort
[NetSec], WS 2007/2008
15.25
Snort-Inline
[NetSec], WS 2007/2008
15.26
Bro
[NetSec], WS 2007/2008
15.27
Bro
Detailed view:
[NetSec], WS 2007/2008
[Paxson1999]
15.28
Bro
Event layer only knows that something has happened but not what Bro signatures make use of regular expressions for being able to
detect variations of a certain intrusion
[NetSec], WS 2007/2008
15.29
Emerald
EMERALD, Stanford Research Institute (SRI) [Porras1997]
Main characteristics
Data sources
Resolver engine
Signature engine
Generation of an event stream from audit data, network datagrams, SNMP traffic
Event stream is parsed, filtered, formated by event-collection methods
Profiler engine
Implementation
[NetSec], WS 2007/2008
15.30
Prelude IDS
Prelude Hybrid IDS [PreludeIDS]:
Open-source intrusion detection and response system
Characteristics:
Sensors:
Managers:
[NetSec], WS 2007/2008
15.31
D-WARD
DDoS Network Attack Recognition and Defense [Mirkovic2003]:
Architecture:
Limitations:
does not work with multi-homed networks
and asymmetric routing
anomaly detection based on static,
predefined models no dynamic update
conceived to detect and mitigate flooding attacks
requires large-scale deployment in order to
be efficient
[NetSec], WS 2007/2008
15.32
D-WARD
[Mirkovic2003]
Source
network
Internet
[NetSec], WS 2007/2008
15.33
COSSACK
Coordinated Suppression of Simultaneous Attacks [Papadopoulos2003]:
[NetSec], WS 2007/2008
15.34
DIADEM Firewall
DIADEM Firewall (IST-2002-2.3.1.3) [www.diadem-firewall-org]:
Cooperating Autonomous Detection Systems (CATS)
Network monitoring environment:
Violation detection:
Firewall elements:
based on IPFIX/PSAMP/Netflow
dynamically reconfigurable according to the current needs for violation detection
System manager:
[NetSec], WS 2007/2008
15.35
DIADEM Firewall
Architecture:
Violation
adaptation
Violation
Detection
Administrative
Domain
Level
configuration
System
Manager
Notification
of attacks
monitoring
data
response
actions
Firewall
Element
Monitoring
Element
Element
Level
(HW Abstraction Layer)
Monitor
Data
Level
Attacker
[NetSec], WS 2007/2008
Operator
network
Internet
Internet
Router
Firewall
Device
Protected
Customer
15.36
[NetSec], WS 2007/2008
15.37
Prelude
IDS
D-WARD
COSSACK
CATS
Local context
yes
yes
yes
yes
yes
Global context
no (hostbased)
no
no
yes
yes
Knowledge-based
detection
yes
yes
no
no
yes
Anomaly detection
yes
no
yes
yes
yes
Autonomous behavior
no
no
yes
yes
yes
Distributed
intelligence
Sep. of monitoring
& detection
no
no
no
no
yes
Distributed detection
yes
partly
no
no
yes
Attack
detection
[NetSec], WS 2007/2008
15.38
Available as independent appliance and as plugin for the Catalyst 6500 Series Switches
Plattform: specially adapted RedHat Linux (Solaris)
Stateful signature based pattern recognition (>300 Signatures available)
Protocol analysis (including layer 7 protocol decoding)
Traffic (statistical) and protocol (rfc-conformity) anomaly detection
Reporting into html-logs but also user defined formats
Responses: TCP-Reset, reconfiguration of firewalls, dropping of packets
Centralized update of deployed sensors (signatures, policies...)
Update service provided by Cisco
Policy language for user defined policies (makes use of signatures/statistics..)
Intrusion investigation (to classify severity of intrusions)
basic investigation of target vulnerability: probability of a successful intrusion on the target System
(c.f. Windows exploit on a Linux machine)
advanced investigation of target tries to determine if a intrusion was successful (logs...)
forensic data capture Data which is important for forensic analysis is gathered. Prevents intruder
to cover his tracks and delete information which might be used to discover his identity
gathered information is stored into a html based databbase
[NetSec], WS 2007/2008
15.39
Juniper - NetScreen
Juniper Networks Netscreen Intrusion Detection and Prevention (IDP)
Supported OS: Management Server: RedHat Linux, Solaris, GUI Clients for
W2K/WinXP, RedHat Linux, Sensor as Appliance
Signature-based intrusion detection (parallel signature matching)
stateful inspection
protocol anomaly detection
protocol reassembly, normalization and decoding
user defined signatures
signature update service (weekly/emergency)
Network honeypot, anomaly detection
Notification: email, syslog, SNMP trap, user defined scripts
Logging: database, XML, CSV
Response: TCP reset, close client/server connection, IP action
High availability through clustering, load balancing, standalone failover,
physical redundancy
http://www.juniper.net/products/intrusion/
[NetSec], WS 2007/2008
15.40
[NetSec], WS 2007/2008
15.41
packet defragmentation
protocol decoding
stateful analysis
www.nfr.com
[NetSec], WS 2007/2008
15.42
McAfee IntruShield
McAfee IntruShield
Appliance only (100 Mb/s 2 Gb/s)
Signature based intrusion detection
Statistical detection of protocol and application anomalies and DoS attacks
Packet defragmentation, stream reassebly
>3000 predefined signatures, up to 3000 DoS profiles, user defined
signatures via GUI
Possibility to secure SSL-encrypted sessions by storing the SSL-key
within the sensor analysis of decrypted copy of the traffic
Works in inline, tap, or span mode
Response: TCP reset, ICMP unreachable, dropping of packets, firewall
reconfiguration
Integrated firewall
http://www.mcafeesecurity.com/de/products/mcafee/network_ips/intrushield_appliances.htm
[NetSec], WS 2007/2008
15.43
http://www.iss.net/products_services/enterprise_protection/rsnetwork/sensor.php
[NetSec], WS 2007/2008
15.44
McAfee
IntruShield
ISS
Realsecure
YES
YES
YES
YES
YES
YES
Protocol decoding
Packet defragmentation
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
Predefined Signatures
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
Enterasys
Intrusion
Defense
YES
Juniper
NetScreen
Available as Appliance
Available as Software
Cisco IDS
NFR NID-310
YES
Logging:
Database
File (XML, CSV, HTMl...)
Syslog Server
YES
YES
YES
YES
TCP-Reset
ICMP-Unreachable
YES
YES
YES
Packet drop
Firewall reconfiguration
YES
YES
YES
YES
YES
Response
Userdefined action
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
[NetSec], WS 2007/2008
15.45
http://www.mazunetworks.com
[NetSec], WS 2007/2008
15.46
Benchmarking
25%, 50%, 75%, 99% of the available bandwith filled with background traffic
[NetSec], WS 2007/2008
15.47
Source: [Athanasiades2003]
[NetSec], WS 2007/2008
15.48
Categories
Knowledge-based / signature-based
Anomaly detection
Detection quality
False positives
False negatives
[NetSec], WS 2007/2008
15.49
Additional References
[Barford2001] P. Barford and D. Plonka, "Characteristics of Network Traffic Flow Anomalies,"
Proceedings of ACM SIGCOMM Internet Measurement Workshop, October 2001.
[Barford2002] P. Barford, J. Kline, D. Plonka, and A. Ron, "A Signal Analysis of Network Traffic
Anomalies," Proceedings of ACM SIGCOMM Internet Measurement Workshop, Marseilles, France,
November 2002.
[Cabrera2000] J. B. D. Cabrera, B. Ravichandran, and R. K. Mehra, "Statistical Traffic Modeling for
Network Intrusion Detection," Proceedings of 8th International Symposium on Modeling, Analysis and
Simulation of Computer and Telecommunication Systems (MASCOTS), 2000, pp. 466.
[Caswell2004] B. Caswell and J. Hewlett, "Snort Users Manual," The Snort Project, Manual, May 2004.
(http://www.snort.org/docs/snort_manual.pdf)
[Estevez-Tapiador2004] J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo, "Anomaly
detection methods in wired networks: a survey and taxonomy," Computer Communications, vol. 27,
July 2004, pp. 1569-1584.
[Hofmeyer1998] S. Hofmeyer, S. Forrest, and P. D'haeseleer, "An Immunological Approach to Distributed
Network Intrusion Detection," Proceedings of First International Workshop on the Recent Advances
in Intrusion Detection (RAID'98), Louvain-la-Neuve, Belgium, September 1998.
[Hussain2003] A. Hussain, J. Heidemann, and C. Papadopoulos, "A Framework for Classifying Denial of
Service Attacks," Proceedings of ACM SIGCOMM Conference, Karlsruhe, Germany, August 2003,
pp. 99-110.
[Kemmerer2002] R. Kemmerer and G. Vigna, "Intrusion Detection: A Brief History and Overview," IEEE
Computer - Special Issue on Security and Privacy, April 2002, pp. 27-30.
[Mahoney2001] M. V. Mahoney and P. K. Chan, "PHAD: Packet Header Anomaly Detection for
Identifying Hostile Network Traffic," Florida Tech., Technical Report CS-2001-4, 2001.
[Mirkovic2004] J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense
Mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, April 2004, pp. 39-53.
[Moore2001] D. Moore, G. M. Voelker, and S. Savage, "Inferring Internet Denial-of-Service Activity,"
Proceedings of USENIX Security Symposium, Washington, DC, August 2001.
[Wang2002] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN Flooding Attacks," Proceedings of IEEE
INFOCOM 2002, 2002.
[NetSec], WS 2007/2008
15.50