1 / 51

Computer Security: Principles and Practice

Computer Security: Principles and Practice. Chapter 6 – Intrusion Detection. by William Stallings and Lawrie Brown Lecture slides: Some by Lawrie Brown, some by Susan Lincke. Objectives. The student should be able to:

forbes
Télécharger la présentation

Computer Security: Principles and Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security: Principles and Practice Chapter 6 – Intrusion Detection by William Stallings and Lawrie Brown Lecture slides: Some by Lawrie Brown, some by Susan Lincke

  2. Objectives The student should be able to: Define how a signature-based, anomaly-based, and rule-based IDS works. Define false positives, false negatives, and how both affect the sensitivity of an IDS. Describe the difference between an IDS and IPS and the advantages/disadvantages of each. Describe when you would use a host IDS and/or a network IDS and some advantages of each. Describe functions of different Host IDS systems: System integrity verifiers, statistics monitors, deception systems, and configuration auditors. (skip for 2012) Draw the internal configuration of a tap, and describe how a switch SPAN port works (Not 2012). Describe the three responses that CISCO IDS’s can support in response to an attack (Not 2012). Describe the capabilities of Snort, including its features, cost, programmability, configurability, and its directory structure.

  3. Examples of Intrusion • remote root compromise • web server defacement • guessing / cracking passwords • copying viewing sensitive data / databases • running a packet sniffer • distributing pirated software • using an unsecured modem to access net • impersonating a user to reset password • using an unattended workstation

  4. Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. Intrusion Detection a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.

  5. Insider Attacks • among most difficult to detect and prevent • employees have access & systems knowledge • may be motivated by revenge / entitlement • when employment terminated • taking customer data when move to competitor • IDS / IPS may help but also need: • least privilege, monitor logs, strong authentication, termination process to block access & mirror data

  6. Insider Behavior Example • create network accounts for themselves and their friends • access accounts and applications they wouldn't normally use for their daily jobs • e-mail former and prospective employers • conduct furtive instant-messaging chats • visit web sites that cater to disgruntled employees, such as f'dcompany.com • perform large downloads and file copying • access the network during off hours.

  7. Intrusion Techniques • objective to gain access or increase privileges • initial attacks often exploit system or software vulnerabilities to execute code to get backdoor • e.g. buffer overflow • or to gain protected information • e.g. password guessing or acquisition

  8. Intrusion Detection Systems • classify intrusion detection systems (IDSs) as: • Host-based IDS: monitor single host activity • Network-based IDS: monitor network traffic • logical components: • sensors - collect data • analyzers - determine if intrusion has occurred • user interface - manage / direct / view IDS

  9. IDS Principles • assume intruder behavior differs from legitimate users • expect overlap as shown • observe deviations from past history • problems of: • false positives • false negatives • must compromise

  10. IDS Principles Where to set limit (draw arrow)? • false positives: normal behavior labeled attack • false negatives: attack labeled normal behavior • must compromise

  11. IDS Requirements • run continually • be fault tolerant • resist subversion • impose a minimal overhead on system (if hids) • configured according to system security policies • adapt to changes in systems and users • scale to monitor large numbers of systems • provide graceful degradation of service • allow dynamic reconfiguration

  12. Host-Based IDS • specialized software to monitor system activity to detect suspicious behavior • primary purpose is to detect intrusions, log suspicious events, and send alerts • can detect both external and internal intrusions • two approaches, often used in combination: • anomaly detection - defines normal/expected behavior • threshold detection • profile based • signature detection - defines proper behavior

  13. Audit Records • a fundamental tool for intrusion detection • two variants: • native audit records - provided by O/S • always available but may not be optimum • detection-specific audit records - IDS specific • additional overhead but specific to IDS task • often log individual elementary actions

  14. Audit Record Contents Subject: initiator of action Action: Operation performed: login, read, perform I/O, execute Object: Receptor of action: file, program message, printer, … Exception-condition: Type of exception Resource-usage: Amount of resources used Time-stamp: When it occurred

  15. Anomaly Detection • threshold detection • checks excessive event occurrences over time • alone a crude and ineffective intruder detector • must determine both thresholds and time intervals • profile based • characterize past behavior of users / groups • then detect significant deviations • based on analysis of audit records • gather metrics: counter, gauge, interval timer, resource utilization • analyze: mean and standard deviation, multivariate, Markov process, time series, operational model

  16. Login & Session Activity

  17. Command or Program Execution Activity

  18. File Access Activity

  19. Signature Detection • observe events on system and applying a set of rules to decide if intruder • approaches: • rule-based anomaly detection • analyze historical audit records for expected behavior, then match with current behavior • rule-based penetration identification • rules identify known penetrations / weaknesses • often by analyzing attack scripts from Internet • supplemented with rules from security experts

  20. Rule based penetration examples Users should not read files in other users’ personal directories Users must not write to others’ files Users who log in after hours often access the same files they used earlier Users do not generally open disk devices directly but rely on higher-level operating system utilities Users should not be logged in more than once to the same system Users do not make copies of system programs

  21. Signature- versus Anomaly-Based IDS Signature-based: Looks for attack signatures in packets or logs Retains signatures in a signature database or rule set(s). Can create custom rules – sometimes with wildcards Benefits & Limitations Benefit: Can name specific attacks, allowing for appropriate reaction Limitations: More signatures translates into lower transaction rates Slight deviations from the signature won’t be caught: e.g., blank vs. %20 New attacks cannot be caught

  22. Anomaly-based or Heuristic: Looks for unexpected behavior Baseline-based Intrusion Detection: ‘Expected’ performance is known Thresholds are established differentiating normal vs. abnormal behavior E.g., Rate of SYN or Ping packets change E.g., Monitoring processor usage at night E.g., Packet is not formatted as expected Rule-based Intrusion Detection: Certain actions are not allowed E.g., Log accesses to password file Benefits & Limitations Benefit: Quick at recognizing new large-scale worm attacks Limitation: Cannot name the attack; Cannot detect attacks near norm

  23. System Sensitivity False positive: Innocent action logged as an attack False negative: Attack not recognized Sensitivity of the system: The degree of False positives to False negatives Administrator must achieve the right balance of sensitivity

  24. Types of NIDS: IDS, IPS Passive mode or IDS: Monitors network traffic only Does not affect performance of network traffic Can be incapable of sending on network Active mode or IPS: Performs inline processing of packets Causes penalty on performance – problematic for very busy networks Must be capable of sending on network

  25. IDS versus IPS Intrusion Detection System (IDS): Sniffs and reports possible violations Difference between Firewall/IDS: Can name attack Intrusion Prevention System (IPS): Reports violations and prevents attacks from occurring Does inline processing, similar to a Firewall: drop packets, reset connections, route suspicious traffic for analysis Problems: Delays in processing; bottleneck Since IDS/IPS have high rate of False Positives, they require extensive optimization

  26. What an IDS Cannot Detect • Passwords not changed from default • File transfer of confidential files • Social engineering techniques • Decipher encrypted messages on a network Bus or other broadcast configuration Passwords not changed from default File transfer of confidential files Social engineering techniques Decipher encrypted messages on a network Star Configuration

  27. Attacks can be categorized as: NIDS Detects

  28. Comparison of Host versus Network-Based IDS

  29. Switch A Router B Tap NIDS More Detail Below… Tap Internal Configuration Switch A Router B NIDS Top Layer Switch The switch can buffer overlapping traffic to a degree. However be careful not to overload the switch.

  30. How to Attach an IDS Switch: Central router routes traffic only to destination node. • High throughput since the simultaneous transmissions can occur between different pairs. Switch Port Analyzer (SPAN) allows a network sniffer to monitor TX/RX/both transmissions between 2 (or sometimes more) nodes (commonly switch & router) • Disadvantage: Switch only has one SPAN port, switch performance degradation • Advantage: No extra equipment, easy to install Hub: Hub repeats traffic to all nodes • Disadvantage: Throughput limitations since all nodes share same physical link – cannot implement duplex transmission between switch/router • Advantage: Easy to install and configure Tap: A ‘T’ or listening device forwards traffic to the NIDS • Disadvantage: Usually monitors in one direction only, dictates stealth configuration • Advantage: Fault tolerant on power failure, no throughput degradation, protects IDS from attacks

  31. Distributed Host-Based IDS

  32. Distributed Host-Based IDS

  33. Network-Based IDS • network-based IDS (NIDS) • monitor traffic at selected points on a network • in (near) real time to detect intrusion patterns • may examine network, transport and/or application level protocol activity directed toward systems • comprises a number of sensors • inline (possibly as part of other net device) • passive (monitors copy of traffic)

  34. NIDS Sensor Deployment

  35. Intrusion Detection Techniques • signature detection • at application, transport, network layers; unexpected application services, policy violations • anomaly detection • of denial of service attacks, scanning, worms • when potential violation detected sensor sends an alert and logs information • used by analysis module to refine intrusion detection parameters and algorithms • by security admin to improve protection

  36. Distributed Adaptive Intrusion Detection

  37. Intrusion Detection Exchange Format

  38. Honeypots • are decoy systems • filled with fabricated info • instrumented with monitors / event loggers • divert and hold attacker to collect activity info • without exposing production systems • initially were single systems • more recently are/emulate entire networks

  39. Honeypot: What is it? • System with NO OTHER USERS or USED APPLICATIONS – LOG all access attempts • Honeypots are high maintenance, high risk • Honeypots are not legally a form of entrapment • Types may include: • Port Monitor: Sockets-based program that listens for connections. • Deception System: Pretends it is a real application by sending valid replies (e.g. mail) • Multi-protocol Deception System: Pretends to support multiple applications • Full network system plus IDS

  40. Honeypots Advantages: • Watch and learn from attackers to strengthen defense • Lure an attacker to a safe place to identify and stop the attacker • Keep attackers busy in a safe environment for hours Disadvantages: • A hacked honeypot can serve as launching pad into rest of network • Honeypots must be maintained and monitored

  41. Honeypot Deployment

  42. SNORT • lightweight IDS • real-time packet capture and rule analysis • passive or inline

  43. SNORT Rules • use a simple, flexible rule definition language • with fixed header and zero or more options • header includes: action, protocol, source IP, source port, direction, dest IP, dest port • many options • example rule to detect TCP SYN-FIN attack: Alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg: "SCAN SYN FIN"; flags: SF, 12; \ reference: arachnids, 198; classtype: attempted-recon;)

  44. SNORT NIDS->NIPS Snort Format: {cmd} {protocol} {sourceIP} {sourcePort} {direction} {destIP} {destPort} (<keyword>:<value>; <keyword>:<value>) • Cmd=alert pass log activate dynamic • log=packet text only, • alert writes to alert file • Protocol=ipudpicmptcparp, igrp, gre, ospf, rip, … • Port= :1024 or 1024:6000 • Direction= -> or <>

  45. Snort Command Example Snort Format: {cmd} {protocol} {sourceIP} {sourcePort} {direction} {destIP} {destPort} (<keyword>:<value>; <keyword>:<value>) Example: var HTTP_SERVERS [192.168.1.50/32] var HOME_NET [192.168.1.0/24] var EXTERNAL_NET !HOME_NET alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:”WEB-IIS cmd.exe access”; flags: A+; content:”cmd.exe”; nocase; classtype:web_application-attack;)

  46. Snort Keywords Keywords can include: dsize: maximum packet size; larger sizes indicate problems. ttl: IP time to live value. fragbits: R=Reserved, D=Don’t Fragment, M=More Fragment. ipopts: IP options: lsrr: loose source routing; ssrr=strict source routing. flags: S=Syn, A=Ack, F=Fin, R=Reset, +=and/or more; itype: ICMP packet type content: <text or hexadecimal data to search for> uricontent: Content of the URL (e.g., ”/bin/ps”) offset: the position in the packet payload to begin searching for a match. nocase: Deactivates case-sensitivity sid: signature ID; describes more about the signature ip_proto: protocol after IP header (e.g., DNS=53) rev: rule revision number logto: file to write log to.

  47. Snort IPS Additional Commands New commands used for inline configurations: drop: Alert and drop the packet sdrop: Drop the packet but don’t trigger the alert E.g.: sdropudp $EXTERNAL_NET any …

  48. Snort IPS Added Keywords resp:<resp_keyword>[,resp_keyword] <resp_keyword> = rst_snd, rst_rcv, rst_all, icmp_net, icmp_host, icmp_port, icmp_all Sends RST to packet sender/recipient/both; Sends host/port/network Unreachable react:<react_keyword>[,react_keyword] <react_keyword> = block, warn, msg, proxy Used with HTTP-based attacks. E.g.: alert tcp any any <> $HOME_NET 80 (content: “naughtyContent”; msg: “Not allowed!”; react: block,msg;) replace: “text to replace content with” Allows replacement of potentially dangerous text with safe text: “cmd.exe”->”nocmd.exe”

  49. CISCO Secure Intrusion Detection Management console: Must be in a secure location May alarm, log, page, and/or email administrator Allows configuration of necessary signatures

  50. CISCO Secure Intrusion Detection Sensor Response to Attack: One or more of: • Shun: Dynamically rewrites the access lists to disallow attackers access to internal networks • Can change access lists on firewall or router. • Log: Save alarm information (at sensor and/or management console) • TCP Reset: Send a TCP reset to terminate the connection, after initial attack packets have reached victim.

More Related