Intrusion Detection and Honeypots
CSC 482: Computer Security Slide #1
CSC 482: Computer Security Slide #2
Topics 1. Definitions and Goals 2. Models of Intrusion Detection 3. Base Rate Fallacy 4. Honeypots: An Alternative Approach 5. Architecture of an IDS 6. Example IDS: snort 7. Active Response: Intrusion Prevention Systems (IPS) 8. Host-based IDS and IPS 9. IDS Evasion Techniques
IDS Terminology Intrusion
Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources)
Intrusion detection The identification through intrusion signatures and
report of intrusion activities Intrusion prevention
The process of both detecting intrusion activities and managing automatic responsive actions throughout the network
CSC 482: Computer Security Slide #3
CSC 482: Computer Security Slide #4
Goals of IDS 1. Detect wide variety of intrusions
Previously known and unknown attacks. Need to adapt to new attacks or changes in
behavior. 2. Detect intrusions in timely fashion
May need to be be real-time, especially when system responds to intrusion. Problem: analyzing commands may impact response
time of system. May suffice to report intrusion occurred a few
minutes or hours ago.
CSC 482: Computer Security Slide #5
Goals of IDS 3. Present analysis in easy-to-understand format.
Ideally a binary indicator. Usually more complex, allowing analyst to examine
suspected attack. User interface critical, especially when monitoring
many systems . 4. Be accurate
Minimize false positives, false negatives. Minimize time spent verifying attacks, looking for
them.
CSC 482: Computer Security Slide #6
Deep Packet Inspection DPI = Analysis of Application Layer data
Protocol Standard Compliance Is port 53 traffic DNS or a covert shell session? Is port 80 traffic HTTP or tunneled IM or P2P?
Protocol Anomaly Detection Traffic is valid HTTP. But suspicious URL contains directory traversal.
CSC 482: Computer Security Slide #7
Models of Intrusion Detection 1. Anomaly detection
What is usual, is known. What is unusual, is bad. Statistical IDS. Need to update profile so that it matches current
usual activities on systems. 2. Misuse detection
What is bad is known. Look for what is bad, hope it doesn’t change. Rule based IDS. Need to regularly update db of intrusion signatures.
Possible Alarm Outcomes Intrusion Attack No Intrusion Attack
Alarm Sounded
No Alarm
Sounded
True Positive False Positive
True Negative False Negative
CSC 482: Computer Security Slide #8
Base-Rate Fallacy Difficult to create IDS with high true-positive rate and
a low false-negative rate. If the number of actual intrusions is relatively small
compared to the amount of data being analyzed, then the effectiveness of an intrusion detection system can be reduced.
In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the base-rate fallacy.
This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event.
CSC 482: Computer Security Slide #9
Base-Rate Fallacy Example Example case
IDS 99% accurate, 1% false positives or negatives IDS generates 1,000,100 log entries. Base rate is 100 malicious events of 1,000,100
examined. Results
Of 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative.
Of 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives!
Thus, 10,099 alarms sounded, 10,000 of which are false alarms. Roughly 99% of our alarms are false alarms.
CSC 482: Computer Security Slide #10
Honeypots and Honeynets Honeypot: a system designed solely for intruders to attack in order to accomplish one or more of the following goals. Also known as a honeynet.
1. Detect intrusions with very few false positives, since legitimate users have no reason to access honeypot.
2. Monitor attacker activities to determine targeted assets, origin, motivation, capabilities, etc.
3. Waste intruder time attacking honeypot, so that defender has time to respond to incident.
CSC 482: Computer Security Slide #11
Low Interaction Honeypots honeyd: responds to probes on a set of unused IP addresses via shell scripts that can return banners for simple scans like nmap –sV. nepenthes: emulates vulnerable Windows services to collect exploits and malware. Dionaea: scriptable honeypot designed to be able to emulate wide variety of vulnerable services to collect exploits and malware. Fakenet: simulates DNS, HTTP, HTTPS to dynamically analyze malware. Returns reasonable responses to malware requests.
Slide #12 CSC 482: Computer Security
Medium Interaction Honeypots Kippo is a medium interaction ssh honeypot designed to log brute force attacks and attacker shell commands. Inspired by Kojoney, a LI ssh honeypot.
Fake filesystem with the ability to add/remove files. Possibility of adding fake file contents so the attacker
can 'cat' files such as /etc/passwd. Only minimal file contents are included.
Saves files downloaded with wget for later inspection Deception: ssh pretends to connect, apt-get pretends to
install, etc.
CSC 482: Computer Security Slide #13
CSC 482: Computer Security Slide #14
High Interaction Honeypots Honeywall sets up tools for HI honeypots.
Environment simulation: virtual machines configured with appropriate tools for the next three tasks.
Data control: firewalling tools to limit attacker activities to avoid damaging other systems.
Data collection: network (snort) and keystroke loggers (Sebek kernel module).
Data analysis: tools to extract relevant data from tcpdump logs and more.
Client Honeypots
CSC 482: Computer Security
Honeymonkey Microsoft Research project. Network of VMs running IE crawling the web in search
of malicious sites that attempt to exploit browsers and distribute malware.
Multiple versions of Windows and IE used. Thug
Low interaction client honeypot. Emulates multiple browsers and OSes.
Slide #15
Honeytokens A honeytoken is data that is designed solely for attackers to abuse. Any access to the data is an indication of unauthorized use.
Attempts to download honeytoken files or database records can be identified by NIDS.
Medical record systems will sometimes create fake records for celebrities and politicians.
Mailing lists may contain email addresses published nowhere else that point to accounts that accept mail and record sender information.
Maps contain fake streets, towns, or islands to identify when competitors copy the map.
Slide #16 CSC 482: Computer Security
IDS Components
Untrusted Internet
IDS Manager
IDS Sensor
router router
router
IDS Sensor
Firewall
Slide #17
CSC 482: Computer Security Slide #18
IDS Architecture An IDS is essentially a sophisticated audit system
Sensors gathers data for analysis from hosts or network.
Manager analyzes data obtained from sensors according to its internal rules.
Notifier acts on manager results. May simply notify security officer. May reconfigure sensors or manager to alter collection,
analysis methods. May activate response mechanism.
CSC 482: Computer Security Slide #19
Host-Based Sensors 1. Obtain information from logs
May use many logs as sources. May be security-related or not. May use virtual logs if agent is part of the kernel.
2. Agent generates its information Analyzes state of system. Treats results of analysis as log data.
CSC 482: Computer Security Slide #20
Network-Based Sensors Sniff traffic from network.
Use hubs, SPAN ports, or taps to see traffic. Need sensors on all switches to see entire network. Deep packet inspection (DPI).
Sensor needs same view of traffic as destination Attacker may send packets with TTL set so that they
arrive at destination but expire before reaching sensor. Packet fragmentation and reassembly works differently
on different OSes, so sensor sees different packet than destination in some cases.
End-to-end encryption defeats content monitoring Not traffic analysis, though.
CSC 482: Computer Security Slide #21
Aggregation of Information Sensors produce information at multiple layers of
abstraction. Application-monitoring sensors provide one view of an
event. System-monitoring sensors provide a different view of
an event. Network-monitoring sensors provide yet another view
(involving many packets) of an event.
CSC 482: Computer Security Slide #22
Notifier Accepts information from manager Takes appropriate action
Page, call, IM, or e-mail security officer. Rate-limit contacts so a single problem does not result in
an overwhelming flood of notices. Respond to attack.
Often GUIs Use visualization to convey information.
CSC 482: Computer Security Slide #23
Example: snort Network Intrusion Detection System
Sniffs packets off wire. Checks packets for matches against rule sets. Logs detected signs of misuse. Alerts adminstrator when misuse detected.
CSC 482: Computer Security Slide #24
Example Architecture: snort
CSC 482: Computer Security Slide #25
Snort Rules Rule Header
Action: pass, log, alert Network Protocol Source Address (Host or Network) + Port Destination Address (Host or Network) + Port
Rule Body Content: packet ASCII or binary content TCP/IP flags and options to match Message to log, indicating nature of misuse detected
CSC 482: Computer Security Slide #26
Snort Rule Example Example: rule for ssh shell code exploit alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; rev:3;)
CSC 482: Computer Security Slide #27
IDS Deployment IDS deployment should reflect your threat model. Major classes of attackers:
1. External attackers intruding from Internet. 2. Internal attackers intruding from your LANs.
Where should you place IDS systems?
1. Perimeter (outside firewall) 2. DMZ 3. Intranet 4. Wireless
CSC 482: Computer Security Slide #28
IDS Deployment
CSC 482: Computer Security Slide #29
Sguil NSM Console
CSC 482: Computer Security Slide #30
Intrusion Prevention Systems What else can you do with IDS alerts?
Identify attack before it completes. Prevent it from completing.
How to prevent attacks? Directly: IPS drops packets, kills TCP sessions. Indirectly: IPS modifies firewall rules.
Is IPS a good idea? How do you deal with false positives?
CSC 482: Computer Security Slide #31
IPS Deployment Types Inline
IPS Intranet
Non-Inline
Intranet
IPS
CSC 482: Computer Security Slide #32
Active Responses by Network Layer Data Link: Shut down a switch port. Only useful for local intrusions. Rate limit switch ports. Network: Block a particular IP address.
Inline: can perform blocking itself. Non-inline: send request to firewall.
Transport: Send TCP RST or ICMP messages to sender and target to tear down TCP sessions. Application: Inline IPS can modify application data to be harmless: /bin/sh -> /ben/sh
Great Firewall = Firewall + IPS
CSC 482: Computer Security Slide #33
CSC 482: Computer Security Slide #34
Host IDS and IPS Anti-virus and anti-spyware
AVG anti-virus, SpyBot S&D Log monitors
swatch, logwatch Integrity checkers
tripwire, osiris, samhain Monitor file checksums, etc.
Application shims mod_security (usually called a WAF)
CSC 482: Computer Security Slide #35
Evading IDS and IPS Alter appearance to prevent sig match
URL encode parameters to avoid match. Use ‘ or 783>412-- for SQL injection.
Alter context Change TTL so IDS sees different packets than target
hosts receives. Fragment packets so that IDS and target host
reassemble the packets differently.
CSC 482: Computer Security Slide #36
Fragment Evasion Techniques Flood of fragments
DoS via heavy use of CPU/RAM on IDS. Tiny fragment
Break attack into multiple fragments, none of which match signature.
ex: frag 1:“cat /etc”, frag 2: “/shadow” Overlapping fragments
Offset of later fragments overwrites earlier fragments. ex: frag 1: “cat /etc/fred”, frag 2: offset=10, “shadow” Different OSes deal differently with overlapping.
CSC 482: Computer Security Slide #37
Web Evasion Techniques URL encoding
GET /%63%67%69%2d%62%69%6e/bad.cgi /./ directory insertion
GET /./cgi-bin/./bad.cgi Long directory insertion
GET /junklongdirectorypathstuffhereuseless/../cgi-bin/bad.cgi IDS may only read first part of URL for speed.
Tab separation GET<tab>/cgi-bin/bad.cgi Tabs usually work on servers, but may not be in sig.
Case sensitivity GET /CGI-BIN/bad.cgi Windows filenames are case insensitive, but signature may not be.
CSC 482: Computer Security Slide #38
Countering Evasion Keep IDS/IPS signatures up to date.
On daily or weekly basis. Use both host and network IDS/IPS.
Host-based harder to evade as runs on host. Fragment attacks can’t evade host IDS. Network IDS still useful as overall monitor.
Tune IDS/IPS to handle based on experience False positives False negatives
CSC 482: Computer Security Slide #39
Key Points 1. Models of IDS:
Anomaly detection: unexpected events (statistical IDS.) Misuse detection: violations of policy (rule-based IDS).
2. IDS Architecture: sensors, manager, notifier. 3. Host vs. Network IDS
Host: agent on host checks files, processes to detect attacks. Network: sniffs and analyzes packets to detect intrusions.
4. IPS Stop intrusions, but what about false positives? Inline vs. non-inline: how do prevention techniques differ?
5. IDS/IPS Evasion Alter appearance to avoid signature match. Alter context to so IDS interprets differently than host.
Key Points: Honeypots 6. Honeypots deceive attackers
1. Identify intrusions with low false positive rates. 2. Learn more about intrusions, esp. with HI honeypots. 3. Interaction levels: low, medium, high 4. Honeyclients and honeytokens
CSC 482: Computer Security Slide #40
CSC 482: Computer Security Slide #41
References 1. Richard Bejtlich, The Tao of Network Security Monitoring, Addison-
Wesley, 2004. 2. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and
Internet Security, 2nd edition, 2003. 3. Goodrich and Tammasia, Introduction to Computer Security, Pearson,
2011. 4. The Honeynet Project, Know Your Enemy, 2nd edition, Addison-Wesley,
2004. 5. Richard A. Kemmerer and Giovanni Vigna, “Intrusion Detection: A
Brief History and Overview,” IEEE Security & Privacy, v1 n1, Apr 2002, pp 27-30.
6. Steven Northcutt and Julie Novak, Network Intrusion Detection, 3rd edition, New Riders, 2002.
7. Michael Rash et. al., Intrusion Prevention and Active Response, Syngress, 2005.
8. Rafiq Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID, Prentice Hall, 2003.
9. Ed Skoudis, Counter Hack Reloaded 2/e, Prentice Hall, 2006.