intrusion detection system (IDS)

INTRUSION DETECTION
SYSTEMS (IDS)
Presented by:

Definitions
• Intrusion
– A set of actions aimed to compromise the security
goals, namely:-
• Integrity, confidentiality, or availability, of a computing
and networking resource.
• Intrusion detection
– The process of identifying and responding to
intrusion activities.
• Intrusion prevention
– Extension of ID with exercises of access control to
protect computers from exploitation.

Digging a Tunnel
RelTunel – ICMP Tunnel
• You spend great money on concrete walls
(firewalls) but they are of no use if
someone can dig through them.

WHY DO I NEED AN IDS,
I HAVE A FIREWALL
?

Components of Intrusion
Detection System
• Audit Data
Preprocessor
•Audit
Records
•Activity Data
•Detection
• Models
•Detection Engine
•Alarms
•Decision
• Table
•Decision Engine
•Action/Report
•system activities aresystem activities are
observableobservable
•normal and intrusivenormal and intrusive
activities have distinctactivities have distinct
evidenceevidence

E-COMMERCE + WELL KNOWN NAME = HACKER TARGET
• A clear example is the Denial of service attacks
against Yahoo, Ebay, and other popular sites.
• ISCA Info Security Magazine Sept 2012
– Comparison E-Comm site (left column) vs Non E-
Comm site (right column)
Viruses/Trojan/worm 82% 76%
Denial of service 42% 31%
Active Scripting exploit 40% 34%
Protocol Weaknesses 29% 23%
Insecure Passwords 30% 20%
Buffer Overflow 29% 20%
Bugs in web server 33% 16%

Who are the targets ??
• Simply being connected is a good enough reason to be
a target. Search is ongoing for easy to compromise
hosts.
• Fast bandwidth is now a cheap commodity.
• Cable modem and ADSL access is the equivalent of
having a T1 link in your home.
• Kids of all ages can scan a whole country in a very
short time frame.
• No specific motive: They do it for fame, fun, to show
off, or just because they have nothing else to do. No
technical knowledge is required to be a ‘’Script Kiddie’’

The biggest threat: EXPOSURE…!!!!!
• The biggest threat of all is bad publicity and having
your company reputation and name associated with
an intrusion, site modification and defacement, or
even attack to other sites using your resources as a
launch platform.
• It could kill all faith in the belief that you can offer a
secure environment to conduct E-Commerce or other
online activities.
• Even though perception is often not the reality.
Outsider and customers does not care that the
specific site was on a bronze plan or that it was not
hosted in house.
• PEOPLE ONLY READ LARGE TITLES such as:

Intrusion Detection Approaches
• Modeling
– Features: evidences extracted from audit data
– Analysis approach: piecing the evidences
together
• Misuse detection (a.k.a. signature-based)
• Anomaly detection (a.k.a. statistical-based)
• Deployment: Network-based or Host-based
– Network based: monitor network traffic.
– Host based: monitor computer processes.

Misuse Detection
•Intrusion
Patterns
•activities
•pattern
matching
•intrusion
•Example: if (src_ip == dst_ip) then “land attack”

Anomaly Detection
•activity
measures
0
10
20
30
40
50
60
70
80
90
CPU Process
Size
normal profile
abnormal
•probable
intrusion
•Relatively high false positive rate
• Anomalies can just be new normal activities.
• Anomalies caused by other element faults
• E.g., router failure or misconfiguration, P2P
misconfiguration.
•Any problem ?

TYPE OF ANALYSIS
• Signature based (Pattern matching)
– Similar to a virus scanner, look for a specific string in the
network data being presented to the IDS
• Statistical
– Based on time, frequency, lenght of session
– For example: cdupuis logs on at 0300 AM and has never
done so in the past, it will raise a flag
• Integrity Checker
– Based on hashing mechanism. Detects authorized and
unauthorized changes to files within your systems.
• Anomaly Detection/Behavior Based
• Flow Based

Host-Based IDSs
• Using OS auditing mechanisms
–E.G., BSM on Solaris: logs all direct or
indirect events generated by a user
• Problems: user dependent
–Have to install IDS on all user
machines !
–Ineffective for large scale attacks

The Spread of Sapphire/Slammer
Worms

HOST BASED (Advantages)
• Monitor in term of who accessed what
• Can map problem activities to a specific user id
• System can track behavior changes associated
with misused
• Can operate in encrypted environment
• Operates in switched networks
• Monitoring load distributed against multiple
hosts and not on a single host, reporting only
relevant data to central console

HOST BASED (Disavantages)
• Cannot see all network activities.
• Running audit mechanisms adds overload to
system, performance may be an issue.
• Audit trails can take lots of storage.
• Escalation of false positive.
• Greater deployment and maintenance cost.

Network IDS.
• Deploying sensors at strategic locations
– E.G., Packet sniffing via tcpdump at routers
• Inspecting network traffic
– Watch for violations of protocols and unusual connection patterns.
• Monitoring user activities
– Look into the data portions of the packets for malicious code.
• May be easily defeated by encryption
– Data portions and some header information can be encrypted.
– The decryption engine may still be there, especially for exploit.

Architecture of Network IDS
•Packet capture libpcapPacket capture libpcap
•TCP reassemblyTCP reassembly
•Protocol identificationProtocol identification
•Packet streamPacket stream
•Signature matchingSignature matching
•(& protocol parsing when(& protocol parsing when
needed)needed)

Network Based IDSs
• At the early stage of the worm, only limited worm
samples.
• Host based sensors can only cover limited IP space,
which might have scalability issues. Thus they might
not be able to detect the worm in its early stage
•Gateway
routers
•Internet
• Our
network
• Host
based
detectio
n

Requirements of Network IDS
• High-speed, large volume monitoring
– No packet filter drops
• Real-time notification
• Mechanism separate from policy
• Extensible
• Broad detection coverage
• Economy in resource usage
• Resilience to stress
• Resilience to attacks upon the IDS itself!

NETWORK BASED (Advantages)
• Can get information quickly without any
reconfiguration of computers or need to
redirect logging mechanisms
• Does not affect network or data sources
• Monitor and detects in real time networks
attacks or misuses
• Does not create system overhead

NETWORK BASED (Disavantages)
• Cannot scan protocols if the data is encrypted
• Can infer from network traffic what is happening
on host but cannot tell the outcome
• Hard to implement on fully switched networks
• Has difficulties sustaining network with a very
large bandwidth

Limitations of Exploit Based Signature
• 1010
101
• 1011
1101
• 1111
1100
• 0001
0111
•Our network
•Traffic
Filtering
•Internet
•Signature: 10.*01
•X
•X
• Polymorphic worm might not have
exact exploit based signature
• Polymorphism!

Vulnerability Signature
Work for polymorphic worms.
Work for all the worms which target the
same vulnerability.
•Vulnerability
signature traffic
filtering
•Internet
•X
•X
• Our
network
• Vulnerabilit
y
•X
•X

Example of Vulnerability Signatures
• At least 75% vulnerabilities are
due to buffer overflow
Sample vulnerability signature
• Field length corresponding to
vulnerable buffer > certain
threshold
• Intrinsic to buffer overflow
vulnerability and hard to evade
• Vulnerable
buffer
• Protocol
message
Overflow!

Current State of IDS
• Lots of people are still using Firewall and Router
logs for Intrusion Detection (Home Brew)
• IDS are not very mature.
• Mostly signature based.
• It is a quickly evolving domain.
• Giant leap and progress every quarter.
• As stated by Bruce Schneier in his book ‘Secret
and Lies in a digital world’:
Prévention
Détection  Getting to this point today
Response

•SNORT
•FIRESTORM
•PRELUDE
•DRAGON
•Sonic WALL

WHAT CAN IDS REALISTICLY
DO…?
– Monitor and analyse user and system activities
– Auditing of system and configuration
vulnerabilities
– Asses integrity of critical system and data files
– Recognition of pattern reflecting known attacks
– Statistical analysis for abnormal activities
– Data trail, tracing activities from point of entry up
to the point of exit
– Installation of decoy servers (HONEY POTS)
– Installation of vendor patches (some IDS)

WHAT IDS CANNOT DO..?
– Compensate for weak authentication and
identification mechanisms.
– Investigate attacks without human intervention.
– Guess the content of your organization security
policy.
– Compensate for weakeness in networking protocols,
for example: IP Spoofing.
– Compensate for integrity or confidentiality of
information.
– Deal adequately with attack at the packet level.

SUMMARY
• Select IDS you wish to use according to your
needs and requirement (Short list).
• Select Hardware.
• Decide on positioning of IDS (total, per
customer, per zone, etc…).
• Acquire and Install HW and SW (perform tests)
• Minimize false positive and false negative.
• Deploy to production environment.
• Monitor, tune, update, Monitor, tune, update…

intrusion detection system (IDS)

intrusion detection system (IDS)

In this document