Intrusion Detection

1
Intrusion Detection

• CS-480b
• Dick Steflik

2
Hacking Attempts

• IP Address Scans
• scan the range of addresses looking for hosts
  (ping scan)
• Port Scans
• scan promising ports for openness (80, 21, )
• Service Evaluation
• determine the OS
• Target Selection
• pick the most vulnerable host, most running
  services...
• Vulnerability Probes
• Automated password attacks
• FTP, HTTP, NetBIOS, VNC PCAnywhere.
• Application specific attacks
• try known vulnerabilities on present services

3
Intrusion Detection Systems (IDS)

• Inspection Based (Signature Based)
• Uses a database of known attack signatures
• observe the activity on a host or network and
  make judgements about whether or not an intrusion
  is in progress or has taken place
• look for known indicators
• ICMP Scans, port scans, connection attempts
• CPU, RAM I/O Utilization
• File system activity, modification of system
  files, permission modifications
• Anomaly Based
• baseline the normal traffic and then look for
  things that are out of the norm
• Variations of IDS
• Rule based
• Statistical
• Hybrid

4
Decoys/Honeypots

• Purposely place an incorrectly configured or
  unprotected system where it is easily found so
  that a hacker will try to use it as an attack
  vector.
• All accesses will set off alarms that indicate an
  intrusion is in progress

5
IDS Systems

• Tripwire
• Windows or UNIX
• alarms on modification to system files
• c\
• c\WINNT
• c\WINNT\system
• c\WINNT\system32
• CyberCop
• Network Assoc.
• suite of 4 ID tools
• Sun/Symantec
• iForce IDS Appliance
• Sun/Solaris and Symantecs ManHunt IDS
• ID Analysis at 2 Gbits /sec
• ManHunt uses distributed network sensors and a
  variety of methods to identify threats, including
  protocol-anomaly detection, signature detection,
  traffic-state profiling and statistical flow
  analysis.

6
SNORT

• Open Source ( http//www.snort.org )
• Uses
• Packet Sniffer
• produces a tcpdump formatted output
• Packet Logger
• can log packets so that after-the-fact data
  mining tools can be used for analysis
• Traffic Debugging and Analysis
• Can design a ruleset that recognizes certain
  traffic patterns
• Can do both anomaly based and Inspection based
  detection
• SPADE (Silicon Defense) a SNORT preprocessor
  that logs anomalies for later analysis

7
ActiveScout

• ForeScout Technologies ( http//www.forescout.com
  )
• Intrusion Prevention Tool
• Method
• Watches for hacker reconnaissance (port scans,
  NetBios Scans, ect.)
• Return bogus info to hacker
• If hackers attempts to break in with the bogus
  data Active Scout sets off alarms or block any
  further traffic for the intruder
• Downside only works in conjunction with Check
  Points Firewall-1
• Requires little administration and eliminates
  many false positives
• Cost w/T1 port is about 10K

8
Manhunt

• Symantec Corp. ( http//www.symantec.com )
• Advanced Threat Management System
• Signature based hybrid detection
• protocol anomaly detection
• traffic rate monitoring
• protocol state tracking
• IP packet reassembly to provide a level of
  detection superior to other, signature-based
  systems. These detection capabilities can
  identify threats in real time, eve
• Real-time Analysis and Correlation
• collects information from security devices
  throughout the network to spot trends
• Automatic Policy Based Responses
• Scaleable Across Geographic Areas of an
  Enterprise
• one Manhunt can be configured across 10 network
  segments

9
Watson Researchers

• Kanad Ghose
• Doug Summerville
• Viktor Skormann
• Mark Fowler