Intruders Detection Systems

1
Intruders Detection Systems

• Presently there is much interest in systems,
  which can detect intrusions, IDS (Intrusion
  Detection System).
• IDS are of very different character.
• Some focus on one machine and try to stop the
  intruder from doing damage, such is LIDS for
  Linux.
• Some can detect a worm attack from the way it
  spreads from machine to machine, like GrIDS.
• Several are actually data mining, they determine
  from logfiles if there is an intrusion based on
  reasoning by an expert system, NSTAT is an
  example.
• Many IDS implementations are listening passively
  to some LAN segment, look at the traffic and
  detect an intrusion. Snort IDS is a popular
  freeware program of this Network IDS-type.
• Other IDS solutions protect one machine by access
  controls.

2
What is Intrusion Detection
Intrusion detection systems (IDSs) are designed
for detecting, blocking and reporting
unauthorized activity in computer
networks. The life expectancy of a default
installation of Linux Red Hat 6.2 server is
estimated to be less than 72 hours. The fastest
compromise happened in 15 minutes (including
scanning, probing and attacking) Netbios scans
affecting Windows computers were executed with
the average of 17 per day (source Honeynet
Project)
3
Unauthorized Use of Computer Systems Within Last
12 Months (source CSI/FBI Study)

1. Motivation for Intrusion Detection

4
Most Common Attacks (source CSI/FBI)

1. Motivation for Intrusion Detection

• In year 2002 most common attacks were
• Virus (78)
• Insider Abuse of Net Access (78)
• Laptop theft (55)
• Denial of Service and System Penetration (40)
• Unauthorized Access by Insiders (38)

(Red color shows the attack types, which IDS can
decrease)
5
There are Application-, Host- and Network IDS
Different Types of IDSs

• Application IDS
• Watch application logs
• Watch user actions
• Stop attacks targeted against an application
• Advantages
• Encrypted data can be read
• Problems
• Positioned too high in the attack chain (the
  attacks reach the application)

6
Application-, Host- and Network IDS
Different Types of IDSs

• Host IDS
• Watch kernel operations
• Watch network interface
• Stop illegal system operations
• Drop attack packets at network driver
• Advantages
• Encrypted data can be read
• Each host contributes to the detection process
• Problems
• Positioned too high in the attack chain (the
  attacks reach the network driver)

7
Application-, Host- and Network IDS
Different Types of IDSs

• Network IDS
• Watch network traffic
• Watch active services and servers
• Report and possibly stop network level attacks
• Advantages
• Attacks can be stopped early enough (before they
  reach the hosts or applications)
• Attack information from different subnets can be
  correlated
• Problems
• Encrypted data cannot be read
• Annoyances to normal traffic if for some reason
  normal traffic is dropped

8
Application-, Host- and Network IDS - Comparison
2. Different Types of IDSs
9
Diagram
Simple Process Model for ID
Parse data, filter data and execute Detection
Algorithms
For example applications log network driver, or
network cable
Drop packets, send alerts, update routing
tables, kill processes etc.
10
Misuse Detection
IDS principle of detection
There are two basic methods used by ID Systems
misuse detection and anomaly detection.

• Search attack signatures, which are patterns,
  byte code or expressions belonging to a specific
  attack.
• often called signature-based detection
• A signature is created by analysing an attack
  method
• The patterns are stored inside the IDS

Example Rule
Alert tcp !192.168.1.0/24 any -gt 192.168.1.0/24
111 (Content 00 01 86 A5msgExternal
Mountd access)
11
Example of a NIDS, snort

• Enable NIDS mode of Snort
• ./snort -dev -l ./log -h 192.168.1.0/24 -c snort
  .conf
• The above command means that let Snort work as
  NIDS for the network 192.168.1.0/24 according to
  the rules inside snort.conf file.
• Sample rule
• alert udp any any -gt 192.168.1.0/24 5060
• (content"01 6a 42 c8" msg SIP session
  signaling")
• The rules are modular and it is easy to add new
  rules. Typically the rules make alarms of all old
  security breaches so that you cannot notice any
  new breaches.

12
Anomaly Detection
IDS principle of detection
Distinguish abnormal from normal

• Threshold Detection
• X events in Y seconds triggers the alarm
• Statistical Measures
• Current traffic profile matches the normal
  profile
• Rule-Based Methods
• Jack never logs in at 6 to 8 AM
• If Jack just sent email from Espoo office, he
  should not send email from New York office at the
  same time

13

• Example ( anomaly detection engine---SPADE)
• 10411 spp_anomsensor Anomaly
  threshold exceeded 3.8919
• 08/22-223700.419813
  24.234.114.963246 -gt VICTIM.HOST80 TCP TTL116
  TOS0x0 ID25395 IpLen20 DgmLen48 DF S
  Seq 0xEBCF8EB7  Ack 0x0  Win 0x4000  TcpLen
  28 TCP Options (4) gt MSS 1460 NOP NOP SackOK
  10411 spp_anomsensor Anomaly
  threshold exceeded 10.5464
• 08/22-222246.577210
  24.41.81.2162065 -gt VICTIM.HOST27374 TCP
  TTL108 TOS0x0 ID10314 IpLen20 DgmLen48 DF
  S Seq 0x63B97FE2  Ack 0x0  Win 0x4000 
  TcpLen 28 TCP Options (4) gt MSS 1460 NOP NOP
  SackOK 10411 spp_anomsensor Anomaly
  threshold exceeded 7.8051
• 08/23-230453.051245
  VICTIM.HOST31337 -gt 64.230.133.1963486 TCP
  TTL255 TOS0x0 ID0 IpLen20 DgmLen40 DF
  AR Seq 0x0 Ack 0x22676B9  Win 0x0 
  TcpLen 20 10411 spp_anomsensor
  Anomaly threshold exceeded 9.0907
• 09/02-013031.545406 VICTIM.HOST515
  -gt 24.42.220.451189 TCP TTL64 TOS0x0 ID0
  IpLen20 DgmLen60 DF AS Seq 0x16FC5A7F 
  Ack 0x529F8CE7  Win 0x16A0  TcpLen 40 TCP
  Options (5) gt MSS 1460 SackOK TS 124399151
  14755839 NOP TCP Options gt WS 0

14
Anomaly/Misuse Detection Comparison
IDS principle of detection
15
Responses
IDS response principles

• Alerts and notifications email, SMS, pager
  (important issue alert path must be bulletproof)
• Increase Surveillance log more
• Throttling slow down malicious traffic
• Blocking Access drop data, update
  firewall/router
• Make Counterattack Eye for an eye tactics
• Honey Pots and Padded Cells route the hacker to
  a fake system and let him play freely

16
Detection problems
IDS problems in the detection stage

• True positive, TP, is a malicious attack that is
  correctly detected as malicious.
• True negative, TN, is a not an attack and is
  correctly classified as benign.
• False positive, FP, is not an attack but has been
  classified as an attack.
• False negative, FN, is an attack that has been
  incorrectly classified as a benign.
• Detection rate is obtained by testing the IDS
  against set of intrusive scenarios

The false alarm rate is the limiting factor for
the performance in an IDS.
17
Advanced IDS Techniques
For Protection

• Stream Reassembly follow connections and
  sessions
• Traffic Normalization see that protocols are
  followed
• Bayesian Networks Data mining and decision
  networks
• Graphical IDSs (for example GrIDS) use graphs to
  model attacks
• Feature equality heuristics port stepping,
  packet gap recognition
• Genetic Programming, Human immune systems
• Tens of research systems exist

For Attacks

• Evasion methods (fragmentation, mutation etc.)
• IDS trashing (DoS tools to like stick/snot to
  crash IDS capability

18
Detecting Intruders

• Commercially the most used IDS systems are
  probably misuse based Network ID Systems, but
  Host-level IDS is also needed.
• As an example of a Host-level IDS let us look at
  LIDS for Linux.
• The philosophy of LIDS is to have a three layer
  protection
• Firewall
• PortSentry
• LIDS
• The firewall limits access to only allowed ports.
  In a Web-server only the TCP port 80 is
  absolutely necessary.
• Disable ports which are not used, for instance by
  removing the daemons or by modifying
  /etc/inetd.conf. Leave only the basic activities
  needed.

19
Detecting Intruders

• PortSentry is put to some port, which is often
  scanned but not used in the system.
• One should find suitable ports where to put
  PortSentry by looking at ports which are scanned
  often, like 143 or 111.
• Typically nowadays hackers do sweep scanning
  looking at only one port in several machines.
• PortSentry monitors activity on specific TCP/UDP
  ports. The PortSentry can take actions, like
  denying further access to the port.
• This is based on the assumption that the hacker
  will first probe with a scanner the machine for
  weaknesses.
• You install PortSentry in TCP-mode by
• portsentry -tcp
• ports are in portsentry.conf -file.

20
Detecting Intruders

• LIDS
• LIDS is an intrusion detection system that
  resides in the Linux kernel.
• It basically limits the rights of a root user to
  do modifications. It limits root access to direct
  port access, direct memory access, raw access,
  modification of log files, limits access to file
  system. It also prevents installation of sniffers
  or changing firewall rules.
• An administrator can remove the protection by
  giving a password to LIDS, but if a hacker breaks
  into the root, he cannot without LIDS password do
  much damage.
• Is this good? it certainly makes the life of a
  hacker more difficult, but what about a hacker
  getting into the kernel?
• How nice it is being an administrator using LIDS?