Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 213 times |
Download: | 0 times |
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 11
Intrusion Intrusion DetectionDetection
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 22
IntrudersIntrudersGain hostile or unwanted access Gain hostile or unwanted access to the system.to the system.Either local or via networkEither local or via networkVarying levels of competenceVarying levels of competenceMay seem benignMay seem benignMay use compromised system to May use compromised system to launch other attackslaunch other attacksAim to increase their own Aim to increase their own privileges on systemprivileges on system
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 33
Types of IntrudersTypes of IntrudersMasqueraderMasquerader: : usually an outsider,usually an outsider, not not authorized to use the system, but penetrates authorized to use the system, but penetrates the system through legitimate user account the system through legitimate user account
MisfeasorMisfeasor: : usually an insideusually an inside legitimate user legitimate user who accesses assets not authorized, or is who accesses assets not authorized, or is authorized but misuses privileges authorized but misuses privileges
Clandestine userClandestine user:: an insider or outsider an insider or outsider user who has supervisory access to the user who has supervisory access to the system system
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 44
Intrusion TechniquesIntrusion Techniques
Basic attack methodologyBasic attack methodology – Take possession of target machine Take possession of target machine
and gather unauthorized informationand gather unauthorized information– Obtain initial access Obtain initial access – Escalate privilegesEscalate privileges– Remove traces of intrusionRemove traces of intrusion
Main goal is to acquire passwordsMain goal is to acquire passwords
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 55
Why Need Intrusion Why Need Intrusion Detection?Detection?Security failures are inevitableSecurity failures are inevitable
Need to detect intrusionsNeed to detect intrusions– Blocked if detected quicklyBlocked if detected quickly– Act as deterrentAct as deterrent– Collect information to improve Collect information to improve
securitysecurityData within organization is often more Data within organization is often more important than the network itselfimportant than the network itself– Commerce, Government, Business, Commerce, Government, Business,
and Academiaand Academia
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 66
Intrusion Detection Intrusion Detection SystemSystem
Types of IDSTypes of IDS– Host-based IDSHost-based IDS– Network-based IDSNetwork-based IDS T1:
ch22 T2: ch25
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 77
Host-based IDSHost-based IDSUse OS auditing mechanismsUse OS auditing mechanisms• e.g., logs all direct or indirect events e.g., logs all direct or indirect events
generated by a usergenerated by a userMonitor user activitiesMonitor user activities• e.g., Analyze shell commandse.g., Analyze shell commandsMonitor executions of system programsMonitor executions of system programs• e.g., Analyze system calls made by e.g., Analyze system calls made by
sendmailsendmailInvolve monitoring ofInvolve monitoring of– communications in and out of a machinecommunications in and out of a machine– integrity of system filesintegrity of system files– processes runningprocesses running
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 88
Examples of Host-based Examples of Host-based IDSIDS
Black Ice Black Ice ((http://www.networkice.comhttp://www.networkice.com))– Windows Operation SystemWindows Operation System
Zone Alarm Zone Alarm ((http://www.zonealarm.comhttp://www.zonealarm.com))– Windows Operation SystemWindows Operation System
Internet Security Systems (ISS) Internet Security Systems (ISS) RealSecure RealSecure ((http://www.iss.nethttp://www.iss.net))– Windows and Unix Operating SystemWindows and Unix Operating System
Linux Intrusion Detection Systems Linux Intrusion Detection Systems (LIDS) (LIDS) ((http://www.lids.orghttp://www.lids.org))– Linux Operating SystemLinux Operating System
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 99
Strengths and Drawbacks of Strengths and Drawbacks of
Host-based IDSHost-based IDSStrengths:Strengths:– Easy attack identificationEasy attack identification– Can monitor key componentsCan monitor key components– Near real-time detection and response.Near real-time detection and response.– No additional hardware neededNo additional hardware needed
Drawbacks:Drawbacks:– Type of information needed to be logged in Type of information needed to be logged in
is a matter of experience.is a matter of experience.– Unselective logging of messages may Unselective logging of messages may
greatly increase audit and analysis greatly increase audit and analysis burdens. burdens.
– Selective logging has risk that attack Selective logging has risk that attack manifestations be missed.manifestations be missed.
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 1010
Network-based IDSNetwork-based IDSDeploy special sensors at strategic Deploy special sensors at strategic locationslocations• e.g., Packet sniffing via e.g., Packet sniffing via tcpdumptcpdump at routers at routers
Inspect network traffic Inspect network traffic • Watch for violations of protocols and Watch for violations of protocols and
unusual connection patternsunusual connection patterns
Monitor user activitiesMonitor user activities• Look into data portions of packets for Look into data portions of packets for
malicious command sequencesmalicious command sequences
Monitor packets for some sort of Monitor packets for some sort of signature as they pass a sensorsignature as they pass a sensor
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 1111
Common Network Signs Common Network Signs of Intrusion Detectionof Intrusion Detection
StringString– Look for a text string that indicates a Look for a text string that indicates a
possible attack.possible attack.PortPort– Watch for connection attempts to well-Watch for connection attempts to well-
known frequently attacked ports.known frequently attacked ports.HeaderHeader– Look for suspiciously dangerous or illogical Look for suspiciously dangerous or illogical
combinations of packets and headers. combinations of packets and headers. – Example: Example: WinnukeWinnuke, where a packet is , where a packet is
destined for NetBIOS port, and Urgent destined for NetBIOS port, and Urgent pointer or pointer or Out Of BandOut Of Band pointer is set, pointer is set, resulting in "blue screen of death" for resulting in "blue screen of death" for Windows systems. Windows systems.
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 1212
Some Examples of Some Examples of Network-based IDSNetwork-based IDS
Internet Security Systems (ISS) Internet Security Systems (ISS) RealSecure RealSecure ((http://www.iss.nethttp://www.iss.net))– Windows and Unix Operating SystemWindows and Unix Operating System
Snort Snort ((http://www.snort.orghttp://www.snort.org))– Open SourceOpen Source– Windows and Unix Operating SystemWindows and Unix Operating System
Cisco NetRanger Cisco NetRanger ((http://www.cisco.comhttp://www.cisco.com))– Unix Based Appliance Intrusion Detection Unix Based Appliance Intrusion Detection
SystemSystem
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 1313
Strengths and DrawbacksStrengths and Drawbacksof Network-based IDSof Network-based IDS
Strengths:Strengths:– Cost of ownership reducedCost of ownership reduced– Packet analysis feasiblePacket analysis feasible– Real time detection and responseReal time detection and response– Malicious intent detection before real intrusion happensMalicious intent detection before real intrusion happens– Operating system independenceOperating system independence
Drawbacks:Drawbacks:– Packets can be lost on flooded networks; Reassemble
packets could be incorrect and trigger false alarm– Not handle encrypted data– Depending on network architectureDepending on network architecture– High false-positiveHigh false-positive– Configuration needs expertiseConfiguration needs expertise– Privacy compromisedPrivacy compromised
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 1414
NIDSNIDS
NIDS
Hybrid of Network-based and Host-
based IDS
HIDS
HIDS
HIDS
Internet
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 1515
Intrusion Detection Intrusion Detection TechniquesTechniques
Profile-based Profile-based
Signature-basedSignature-based– Rule-basedRule-based– State Transition AnalysisState Transition Analysis– Pattern MatchingPattern Matching
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 1616
ID Techniques ID Techniques – – Profile-basedProfile-based
Profile: identification of subjects and their Profile: identification of subjects and their normal behaviornormal behaviorSubject: a user account, a service, a group, Subject: a user account, a service, a group, or a network domain, etc.or a network domain, etc.Approaches: Approaches: – Intrusion Detection Expert System (Intrusion Detection Expert System (IDESIDES))– Wisdom and Sense (Wisdom and Sense (W & SW & S))– Specification-basedSpecification-based
Advantages: easy to implement; capable of Advantages: easy to implement; capable of detecting new intrusion scenariosdetecting new intrusion scenariosDisadvantage: high false alarmsDisadvantage: high false alarms
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 1717
ID TechniquesID Techniques– Signature-based– Signature-based
Find specific event sequences Find specific event sequences (signatures) by scanning system activities(signatures) by scanning system activitiesEvent: a generic system activity, such as Event: a generic system activity, such as deleting a file, sending an e-maildeleting a file, sending an e-mailTypes: Types: – Rule-basedRule-based– State-transition analysisState-transition analysis– Pattern matchingPattern matchingCan detect known intrusion patterns Can detect known intrusion patterns efficiently, but not unknown intrusion efficiently, but not unknown intrusion patterns and variants of intrusion patterns and variants of intrusion signatures.signatures.
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 1818
Rule-based Intrusion Rule-based Intrusion DetectionDetection
Based on expert systemBased on expert system
Most basic signature-based IDSMost basic signature-based IDS
““If If condition,condition, then then actionaction””– ConditionCondition specifies constraints specifies constraints
on audit recordon audit record– ActionAction specifies action to be specifies action to be
taken if condition is satisfied.taken if condition is satisfied.
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 1919
Rule-based Intrusion Rule-based Intrusion Detection Detection (cont.)(cont.)
Observe events happening on systemObserve events happening on systemApply rules to decide if activity is suspiciousApply rules to decide if activity is suspiciousRule-based Anomaly Detection: Rule-based Anomaly Detection: – Generating rules involves analysis of audit data Generating rules involves analysis of audit data
and identification of usage patternsand identification of usage patterns– Observe current data and match data against Observe current data and match data against
rules to see if it conforms to abnormal behaviorrules to see if it conforms to abnormal behaviorExample: If a server finds that 40 % of the Example: If a server finds that 40 % of the packets received are packets received are Internet Control Internet Control Message Protocol (ICMP) echo requestsMessage Protocol (ICMP) echo requests from from diverse sources, it may be regarded as a DoS diverse sources, it may be regarded as a DoS attack. Rule: attack. Rule: Percentage of echo request in ICMP Percentage of echo request in ICMP >= 40% >= 40% DoS attack happens DoS attack happens
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 2020
Strengths and DrawbacksStrengths and Drawbacksof Rule-based Intrusion of Rule-based Intrusion
DetectionDetectionStrengths:Strengths:– The inference engine is simpleThe inference engine is simple– The system is powerful to detected intrusion The system is powerful to detected intrusion
specified in those rulesspecified in those rules– Easy to implementEasy to implementLimitationsLimitations– Direct dependence on audit records.Direct dependence on audit records.– Rules are created using audit records of Rules are created using audit records of
known penetrations.known penetrations.Slight variations in attacks could make Slight variations in attacks could make penetration undetected.penetration undetected.
– If someone changes audit trail, penetration If someone changes audit trail, penetration may not be detected.may not be detected.
– Difficult for distributed processingDifficult for distributed processing
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 2121
State Transition State Transition AnalysisAnalysis
StateState is a snapshot of the system with all the volatile is a snapshot of the system with all the volatile and permanent memory locations. and permanent memory locations. – State represents some attribute of system – not whole system State represents some attribute of system – not whole system
statestate– State is generic, e.g. “user is root now”State is generic, e.g. “user is root now”
TransitionTransition is an action that will make state changed. is an action that will make state changed.PenetrationPenetration is viewed as a sequence of actions is viewed as a sequence of actions performed by an attacker that leads from an initial performed by an attacker that leads from an initial state to a compromised (insecure) state. state to a compromised (insecure) state. – Penetration sequence represented by finite state machinePenetration sequence represented by finite state machine
node is a state node is a state arc is an action (or transition)arc is an action (or transition)
Signature actionsSignature actions are a sequence of identified are a sequence of identified actions which will trigger transition from one state to actions which will trigger transition from one state to another.another.
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 2222
State Transition State Transition Analysis Analysis (cont.)(cont.)
Information retrieved from audit Information retrieved from audit data are represented graphically in data are represented graphically in State Transition Diagram State Transition Diagram As actions of an intrusion are As actions of an intrusion are completed one by one, the target completed one by one, the target machine changes its state from one machine changes its state from one state to another when certain state to another when certain actions are performed. When the actions are performed. When the machine changes from some machine changes from some normal state to a compromised normal state to a compromised state, an intrusion is detected and state, an intrusion is detected and reportedreported
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 2323
Strengths and DrawbacksStrengths and Drawbacksof State Transition Analysisof State Transition AnalysisStrengths:Strengths:– State Transition Analysis identifies a number State Transition Analysis identifies a number
of signature actions and represents them of signature actions and represents them visually.visually.
– State Transition Diagram identifies State Transition Diagram identifies preciselyprecisely the requirements and penetrationsthe requirements and penetrations
– Lists of actions that must occur for Lists of actions that must occur for completioncompletion of certain penetration. of certain penetration.
– Provide efficient reasoning support.Provide efficient reasoning support.Drawbacks:Drawbacks:– It cannot represent complex intrusion scenarios.It cannot represent complex intrusion scenarios.
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 2424
Pattern Matching Pattern Matching ApproachApproach
Each intrusion signature is Each intrusion signature is represented as a represented as a Petri netPetri net– A Petri net is a graphical and A Petri net is a graphical and
mathematical modeling tool. It mathematical modeling tool. It consists of consists of placesplaces, , transitionstransitions, and , and arcsarcs that connect them. that connect them. Input arcsInput arcs connect places with transitions, connect places with transitions, while while output arcsoutput arcs start at a start at a transition and end at a place. transition and end at a place.
– Has strong expressive powerHas strong expressive power(Reference: (Reference: James L. Peterson, “Petri Net theory James L. Peterson, “Petri Net theory and modeling of systemsand modeling of systems”)
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 2525
Pattern Matching Approach Pattern Matching Approach (cont.)(cont.)
Characteristics of patterns used to model Characteristics of patterns used to model attacksattacks– LinearityLinearity: Specifies a sequence of events : Specifies a sequence of events
comprising the signature pattern which is a comprising the signature pattern which is a sequence of events without conjunction and sequence of events without conjunction and disjunction.disjunction.
– UnificationUnification: Instantiates variables to earlier events : Instantiates variables to earlier events and matches these events to later occurring events.and matches these events to later occurring events.
– OccurrenceOccurrence: Specifies the relative placement in : Specifies the relative placement in time of an event with respect to the previous events.time of an event with respect to the previous events.
– BeginningBeginning: Specifies the absolute time of match of : Specifies the absolute time of match of the beginning of a pattern.the beginning of a pattern.
– DurationDuration: Specifies constraints on the time duration : Specifies constraints on the time duration for which the event must be active.for which the event must be active.Reference: S. Kumar, E. H. Spafford, “An Application of Pattern Reference: S. Kumar, E. H. Spafford, “An Application of Pattern
Matching in Intrusion Detection” Matching in Intrusion Detection” http://www.csee.umbc.edu/cadip/docs/NetworkIntrusion/pattern.pdfhttp://www.csee.umbc.edu/cadip/docs/NetworkIntrusion/pattern.pdf
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 2626
Pattern Matching Approach Pattern Matching Approach (c(cont.)ont.)
Use Petri nets to capture Use Petri nets to capture – Each signature corresponds to a particular Each signature corresponds to a particular
Petri net automatonPetri net automaton– Nodes represents tokens; edges represents Nodes represents tokens; edges represents
transitionstransitions– Final state of signature is a compromised stateFinal state of signature is a compromised stateGenerate an intrusion patternGenerate an intrusion pattern
1.1. Identify existence of files or other entities Identify existence of files or other entities created by an attackercreated by an attacker
2.2. Identify a sequence of eventsIdentify a sequence of events3.3. Identify two or more sequences of events Identify two or more sequences of events
under temporal relationunder temporal relation4.4. Identify duration of eventsIdentify duration of events5.5. Identify interval of eventsIdentify interval of events
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 2727
Strengths:Strengths:– Rule based sequential patternsRule based sequential patterns detect detect
anomalous activities that are difficult using anomalous activities that are difficult using traditional methods.traditional methods.
– Systems built using this model are highly Systems built using this model are highly adaptiveadaptive to changes by users; if a new pattern to changes by users; if a new pattern found, it is easier to define it by Petri net.found, it is easier to define it by Petri net.
– Anomalous activities detected and reported Anomalous activities detected and reported within seconds of receiving audit events.within seconds of receiving audit events.
Drawbacks:Drawbacks:– Requires experience to generate rulesRequires experience to generate rules– Difficult to verify the completeness set of rulesDifficult to verify the completeness set of rules
Strengths and DrawbacksStrengths and Drawbacksof Pattern Matching of Pattern Matching
ApproachApproach
Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 2828
ReferencesReferencesMatt BishopMatt Bishop, , Introduction to Computer Security, , Addison- WesleyAddison- Wesley, , 2004, ISBN: 0321247442 2004, ISBN: 0321247442 (textbook1)(textbook1)Matt Bishop, Matt Bishop, Computer Security: Art and Computer Security: Art and Science,Science, Addison- WesleyAddison- Wesley, , 2002, ISBN: 0201440997 2002, ISBN: 0201440997 (textbook2)(textbook2)M. Merkow, J. Breithaupt, M. Merkow, J. Breithaupt, Information Security: Information Security: Principles and PracticesPrinciples and Practices,, Prentice Hall, August Prentice Hall, August 2005, 448 pages, ISBN 0131547291 2005, 448 pages, ISBN 0131547291 James L. Peterson, “Petri Net theory and modeling James L. Peterson, “Petri Net theory and modeling of systemsof systems” S. Kumar, E. H. Spafford, “An Application of Pattern S. Kumar, E. H. Spafford, “An Application of Pattern Matching in Intrusion Detection”. Available at: Matching in Intrusion Detection”. Available at: http://www.csee.umbc.edu/cadip/docs/NetworkIntruhttp://www.csee.umbc.edu/cadip/docs/NetworkIntrusion/pattern.pdfsion/pattern.pdf