Date post: | 14-Apr-2018 |
Category: |
Documents |
Upload: | lakshmyachu |
View: | 223 times |
Download: | 0 times |
of 21
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
1/21
Intrusion Detection Systems
(I)
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
2/21
Definitions
Intrusion A set of actions aimed to compromise thesecurity goals, namely
Integrity, confidentiality, or availability, of a
computing and networking resource
Intrusion detection The process of identifying and responding tointrusion activities
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
3/21
Prevent
Why Is Intrusion DetectionNecessary?
DetectReact/
Survive
Security principles: layered mechanisms
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
4/21
Elements of Intrusion Detection
Primary assumptions: System activities are observable Normal and intrusive activities have distinctevidence
Components of intrusion detectionsystems: From an algorithmic perspective: Features - capture intrusion evidences
Models - piece evidences together
From a system architecture perspective: Audit data processor, knowledge base, decisionengine, alarm generation and responses
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
5/21
Components of IntrusionDetection System
Audit Data
Preprocessor
Audit Records
Activity Data
Detection
ModelsDetection Engine
Alarms
Decision
Table
Decision EngineAction/Report
system activities areobservable
normal and intrusiveactivities have distinct
evidence
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
6/21
Intrusion Detection Approaches
Modeling Features: evidences extracted from auditdata
Analysis approach: piecing the evidences
together Misuse detection (a.k.a. signature-based)
Anomaly detection (a.k.a. statistical-based)
Deployment: Network-based or Host-
based Development and maintenance
Hand-coding of expert knowledge Learning based on audit data
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
7/21
Misuse Detection
Intrusion
Patterns
activities
patternmatching
intrusion
Cant detect new attacks
Example: if(src_ip == dst_ip) thenland attack
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
8/21
Anomaly Detection
activity
measures
0
10
20
30
40
50
60
70
80
90
CPU ProcessSize
normal profile
abnormal
probable
intrusion
Relatively high false positive rate -anomalies can just be new
normal activities.
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
9/21
tcpdump
BSM
Network Packets
Operating System
Events
Monitoring Networks and Hosts
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
10/21
Key Performance Metrics
Algorithm Alarm: A; Intrusion: I Detection (true alarm) rate: P(A|I) False negative rate P(A|I)
False alarm rate: P(A|I) True negative rate P(A|I)
Bayesian detection rate: P(I|A) Architecture
Scalable Resilient to attacks
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
11/21
Bayesian Detection Rate
Base-rate fallacy Even if false alarm rate P(A|I) is very low,Bayesian detection rate P(I|A) is still low ifbase-rate P(I) is low
E.g. ifP(A|I) = 1, P(A|I) = 10-5, P(I) =210-5, P(I|A) = 66%
Implications to IDS Design algorithms to reduce false alarmrate
Deploy IDS to appropriate point/layer with
sufficiently high base rate
P I A P I P A I P I P A I P I P A I
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
12/21
Example ROC Curve
Ideal system should have 100%detection rate with 0% false alarm
% Detect
% False Alarm
IDS1
IDS2
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
13/21
Host-Based IDSs
Using OS auditing mechanisms
E.G., BSM on Solaris: logs all direct orindirect events generated by a user
strace for system calls made by a program
Monitoring user activities
E.G., Analyze shell commands
Monitoring executions of systemprograms
E.G., Analyze system calls made bysendmail
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
14/21
Network IDSs
Deploying sensors at strategic locations E.G., Packet sniffing via tcpdump at routers
Inspecting network traffic Watch for violations of protocols and
unusual connection patterns Monitoring user activities
Look into the data portions of the packetsfor malicious command sequences
May be easily defeated by encryption Data portions and some header informationcan be encrypted
Other problems
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
15/21
Architecture of Network IDS
Network
libpcap
Event Engine
Policy Script Interpreter
Packet stream
Filtered packet stream
Event stream
Alerts/notificationsPolicy script
Event control
tcpdump filters
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
16/21
Firewall Versus Network IDS
Firewall Active filtering
Fail-close
Network IDS Passive monitoring Fail-open
FW
IDS
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
17/21
Requirements of Network IDS
High-speed, large volume monitoring No packet filter drops
Real-time notification Mechanism separate from policy Extensible Broad detection coverage Economy in resource usage
Resilience to stress Resilience to attacks upon the IDS
itself!
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
18/21
Eluding Network IDS What the IDS sees may not be what the
end system gets.
Insertion and evasion attacks. IDS needs to perform full reassembly ofpackets.
But there are still ambiguities in protocolsand operating systems:
E.G. TTL, fragments.
Need to normalize the packets.
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
19/21
Insertion Attack
A T X T A C
A T T A CK K
T X T C A A K
End-System sees: IDS sees:
Attackers data stream Examples: badchecksum,
TTL.
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
20/21
Evasion Attack
A T T C KAT T A C
K
T T C A A K
End-System sees: IDS sees:
Attackers data stream Example:
fragmentation
overlap
7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I
21/21
DoS Attacks on Network IDS Resource exhaustion
CPU resources
Memory Network bandwidth
Abusing reactive IDS False positives
Nuisance attacks or errorpackets/connections