IDS/IPS Definition and Classification

1
IDS/IPS Definition and Classification
2
Contents

• Overview of IDS/IPS
• Components of an IDS/IPS
• IDS/IPS classification
• By scope of protection
• By detection model

3
Overview of IDS/IPS

• Intrusion
• A set of actions aimed at compromising the
  security goals (confidentiality, integrity,
  availability of a computing/networking resource)
• Intrusion detection
• The process of identifying and responding to
  intrusion activities
• Intrusion prevention
• The process of both detecting intrusion
  activities and managing responsive actions
  throughout the network.

4
Overview of IDS/IPS

• Intrusion detection system (IDS)
• A system that performs automatically the process
  of intrusion detection.
• Intrusion prevention system (IPS)
• A system that has an ambition to both detect
  intrusions and manage responsive actions.
• Technically, an IPS contains an IDS and combines
  it with preventive measures (firewall, antivirus,
  vulnerability assessment) that are often
  implemented in hardware.

5
Overview of IDS/IPS

• Some authors consider an IPS a new (fourth)
  generation IDS a convergence of firewall and
  IDS.
• IPS use IDS algorithms to monitor and drop/allow
  traffic based on expert analysis.
• The firewall part of an IPS can prevent
  malicious traffic from entering/exiting the
  network. It can also alert the operator about
  such activities.

6
Overview of IDS/IPS

• A complete IPS solution usually has the
  capability of enforcing traditional static
  firewall rules and operator-defined whitelists
  and blacklists.
• IPS are very resource intensive. In order to
  operate with high performance, they should be
  implemented by means of the best hardware and
  software technologies.
• IPS hardware often includes ASICs (Application
  Specific Integrated Circuits).

7
Overview of IDS/IPS

• Principal differences between IDS and IPS
• IPS try to block malicious traffic, unlike IDS
  that just alert personnel to its presence.
• IPS acts to combine single-point security
  solutions (anti-virus, anti-spam, firewall, IDS,
  ).

8
Overview of IDS/IPS

• Basic assumptions
• System activities are observable
• Normal and intrusive activities have distinct
  evidence the goal of an IDS/IPS is to detect
  the difference.

9
Components of an IDS/IPS
Incoming traffic/logs
System activities are observable
Data pre-processor
Activity data
Normal and intrusive activities have distinct
evidence
Detection model(s)
Detection algorithm
Alerts
Action/Report
Decision criteria
Alert filter
10
Components of an IDS/IPS

• Data pre-processor
• Collects and formats the data to be analyzed by
  the detection algorithm.
• Detection algorithm
• Based on the detection model, detects the
  difference between normal and intrusive audit
  records.
• Alert filter
• Based on the decision criteria and the detected
  intrusive activities, estimates their severity
  and alerts the operator/manages responsive
  activities (usually blocking).

11
Components of an IDS/IPS

• Incoming traffic/log data
• Packets headers contain routing information,
  content may (and is more and more) also be
  important for detecting intrusions.
• Logs a chronological set of records of system
  activity.

12
Components of an IDS/IPS

• Incoming traffic/log data (cont.)
• Problems related to data
• Inadequate format for intrusion detection
• Information important for intrusion detection is
  often missing (e.g. in log files).
• Thus we need some data pre-processing
• Adjust data format (relatively easy)
• Resolve for missing data (not so easy)
• Insertion of reconstructed values
• Special distances (for unequal-length data
  patterns).

13
Components of an IDS/IPS

• Detection algorithm
• Checks the incoming data for presence of
  anomalous content.
• A major detection problem
• There is no sharp limit between normal and
  intrusive it often depends on the context
  hence statistical analysis of the input data may
  be useful.
• To determine the context, a lot of memory is
  needed.

14
Components of an IDS/IPS

• Alert filter
• Determines the severity of the detected intrusive
  activity.
• A major decision problem
• It is difficult to estimate the severity of
  threat in real time.
• Filtering is normally carried out by means of a
  set of thresholds (decision criteria). Thresholds
  should be carefully set in order to maintain a
  high level of security and a high level of system
  performance at the same time.

15
IDS/IPS classification

• By scope of protection (or by location)
• Host-based IDS
• Network-based IDS
• Application-based IDS
• Target-based IDS
• By detection model
• Misuse detection
• Anomaly detection

16
IDS classification

• Host-based
• Collect data from sources internal to a computer,
  usually at the operating system level (various
  logs etc.)
• Monitor user activities.
• Monitor executions of system programs.

17
IDS classification

• Network-based
• Collect network packets. This is usually done by
  using network devices that are set to the
  promiscuous mode. (A network device operating in
  the promiscuous mode captures all network traffic
  accessible to it, not just that addressed to it.)
• Have sensors deployed at strategic locations
• Inspect network traffic
• Monitor user activities on the network.

18
IDS classification

• Application-based
• Collect data from running applications.
• The data sources include application event logs
  and other data stores internal to the application.

19
IDS classification

• Target-based (integrity verification)
• Generate their own data (by adding code to the
  executable, for example).
• Use checksums or cryptographic hash functions to
  detect alterations to system objects and then
  compare these alterations to a policy.
• Trace calls to other programs from within the
  monitored application.

20
IDS classification

• Misuse detection
• Asks the following question about system events
  Is this particular activity bad?
• Misuse detection involves gathering information
  about indicators of intrusion in a database and
  then determining whether such indicators can be
  found in incoming data.

21
IDS classification

• Misuse detection (cont.)
• To perform misuse detection, the following is
  needed
• A good understanding of what constitutes a misuse
  behaviour (intrusion patterns, or signatures).
• A reliable record of user activity.
• A reliable technique for analyzing that record of
  activity (very often pattern matching).

22
Misuse Detection
Intrusion patterns (signatures)
Analysis (e.g. pattern matching)
Intrusion
Activities
Signature example if src_ip dst_ip then land
attack
23
IDS classification

• Misuse detection (cont.)
• It is best suited for reliably detecting known
  misuse patterns (by means of signatures).
• It is not possible to detect previously unknown
  attacks, or attacks with unknown signature. A
  single bit of difference may be enough for an IDS
  to miss the attack.
• However, it is possible to use the existing
  knowledge (for instance, of outcomes of attacks)
  to recognize new forms of old attacks.

24
IDS classification

• Misuse detection (cont.)
• Misuse detection has no knowledge about the
  intention of activity that matches a signature.
• Hence it sometimes generates alerts even if the
  activities are normal (normal activities often
  closely resemble the suspicious ones).
• Hence IDS that use signature detection are likely
  to generate false positives.

25
IDS classification

• Misuse detection (cont.)
• New attacks require new signatures, and the
  increasing number of vulnerabilities causes that
  signature databases grow over time.
• Every packet must be compared to each signature
  for the IDS to detect intrusions. This can become
  computationally expensive as the amount of
  bandwidth increases.

26
IDS classification

• Misuse detection (cont.)
• When the amount of bandwidth overwhelms the
  capabilities of the IDS, it causes the IDS to
  miss or drop packets.
• In this situation, false negatives are possible.

27
IDS classification

• Anomaly detection
• Anomaly detection involves a process of
  establishing profiles of normal user behaviour,
  comparing actual user behaviour to those
  profiles, and alerting if deviations from the
  normal behaviour are detected.
• The basis of anomaly detection is the assertion
  that abnormal behaviour patterns indicate
  intrusion.

28
IDS classification

• Anomaly detection (cont.)
• Profiles are defined as sets of metrics -
  measures of particular aspects of user behaviour.
  
• Each metric is associated with a threshold or a
  range of values.

29
IDS classification

• Anomaly detection (cont.)
• Anomaly detection depends on an assumption that
  users exhibit predictable, consistent patterns of
  system usage.
• The approach also accommodates adaptations to
  changes in user behaviour over time.

30
IDS classification

• Anomaly detection (cont.)
• The completeness of anomaly detection depends on
  the selected set of metrics it should be rich
  enough to express as much of anomalous behaviour
  as possible.
• Capable of detecting new attacks.

31
IDS classification

• Anomaly detection (cont.)
• An attacker can replicate a misuse detection
  system and check which signatures it detects.
• Then he/she can use the attack not detectable by
  the IDS in question.
• This is not possible to do with an anomaly
  detection system.

32
IDS classification

• Anomaly detection (cont.)
• However, it is not always the case that abnormal
  behaviour patterns indicate an intrusion
  sometimes, rare sequences represent normal
  behaviour. This is a major problem in anomaly
  detection false positives.
• If anomaly detection IDS thresholds are set too
  high, we may miss the attacks and have false
  negatives.

33
Anomaly Detection
Profiles of normal behaviour
Intrusion
Analysis
Activities
34
IDS classification

• Anomaly detection (cont.)
• Methods of anomaly detection
• Statistical methods
• Artificial intelligence (cognitive science,)
• Data mining
• Mathematical abstractions of biological systems
  (neural nets, immunological system simulation,
  process homeostasis)
• Etc.

35
IDS classification

• The fundamental debate between proponents of
  anomaly detection and proponents of misuse
  detection
• Overlap of the regions representing "normal," and
  "misuse activities.

36
IDS classification

• The proponents of anomaly detection assert that
  the intersection between the two regions is
  minimal.
• The proponents of misuse detection assert that
  the intersection is quite large, to the point
  that given the difficulties in characterizing
  "normal activity, it is pointless to use anomaly
  detection.

37
IDS classification

• The solution of this problem is probably in
  combining the two detection models.
• Although the IDS/IPS manufacturers do not publish
  the details of their designs, it is quite
  probable that they combine misuse detection and
  anomaly detection approach in their solutions.

38
Attack fundamentals

• Four phases in the attacking process
• Planning phase
• Reconnaissance phase
• Attack phase
• Post attack phase.

39
Attack fundamentals
40
Attack fundamentals

• Planning phase
• Can take many different forms.
• The attacker often makes use of the system in its
  intended manner before making the attack.
• Example the attacker may sign up for an account
  on an online e-commerce system or log onto a
  public server.
• This type of publicly available legitimate access
  helps the attacker define the scope and goals of
  the attack.

41
Attack fundamentals

• Planning phase (cont.)
• After the initial preparation is complete, the
  attacker decides on the scope of the attack.
• The attacker may have various goals
• Denial of service
• Escalation of legitimate privileges
• Unauthorized access
• Data manipulation
• The motivation behind an attack often dictates
  which of these goals are chosen.

42
Attack fundamentals

• Reconnaissance phase
• The attacker next gathers information or performs
  reconnaissance on the targeted network.
• The attacker carries out a variety of different
  inquiries with the goal of pinpointing a specific
  method of attack (port scanning etc.)
• The goal of the attacker in this phase is to
  narrow down the field of thousands of possible
  exploits to a small number of vulnerabilities
  that are specific to the targeted host/network.

43
Attack fundamentals

• Reconnaissance phase (cont.)
• The attacker attempts to make this reconnaissance
  as hard to notice as possible.
• Even so, there are many different means of
  reconnaissance and some of them can be detected
  by an intrusion detection system.
• Sources of information for the attacker
• Legitimate public data (forums, public databases,
  public monitoring tools, etc.)
• Vulnerability scanning (ping, TCP connect, OS and
  version scanning, etc.)

44
Attack fundamentals

• Attack phase
• The traffic generated from attacks can take many
  different forms.
• Types of attacks
• Denial of service
• Remote exploits
• Trojans and backdoor programs
• Misuse of legitimate access

45
Attack fundamentals

• Attack phase (cont.)
• Denial of service (DoS)
• Any attack that disrupts the function of a system
  so that legitimate users can no longer access it.
  
• Possible on most network equipment routers,
  servers, firewalls, remote access machines, etc.
• Can be specific to a service (e.g. FTP attack),
  or an entire machine.
• Categories of DoS
• Resource depletion
• Malicious packet attacks.

46
Attack fundamentals

• Attack phase (cont.)
• Denial of service (DoS) (cont.)
• Resource depletion DoS attack
• Functions by flooding a service with so much
  normal traffic that legitimate users cannot
  access the service.
• An attacker inundating a service with normal
  traffic can exhaust finite resources such as
  bandwidth, memory and processor cycles.
• Examples SYN flood, Smurf, etc.

47
Attack fundamentals

• Attack phase (cont.)
• Denial of service (DoS) (cont.)
• Malicious packet DoS attacks
• Function by sending abnormal traffic to a host to
  cause the service or the host itself to crash.
• Occur when software is not properly coded to
  handle abnormal or unusual traffic.
• Such traffic can cause software to react
  unexpectedly and crash.
• Attackers can use these attacks to bring down
  even IDS.
• Examples Microsoft FTP DoS, SNORT ICMP DoS, etc.

48
Attack fundamentals

• Attack phase (cont.)
• Denial of service (DoS) (cont.)
• Malicious packet DoS attacks (cont.)
• In addition to unusual traffic, malicious packets
  can contain payloads that cause a system to
  crash.
• A packet's payload is taken as input into a
  service.
• If this input is not properly checked, the
  application can be brought down.

49
Attack fundamentals

• Attack phase (cont.)
• Denial of service (DoS) (cont.)
• DoS attacks commonly utilize spoofed IP addresses
  because the attack is successful even if the
  response is misdirected.
• The attacker requires no response, and in cases
  like the Smurf attack, wants at all costs to
  avoid a response.
• This can make DoS attacks difficult to defend
  from, and even more difficult to detect.

50
Attack fundamentals

• Attack phase (cont.)
• Remote exploits
• Attacks designed to take advantage of improperly
  coded software to compromise and take control of
  a vulnerable host.
• Can function in the same manner as the malicious
  payload traffic DoS attacks.
• Take advantage of improperly checked input or
  configuration errors.
• Examples buffer overflow, Unicode exploit,
  Cookie poisoning, SQL injection, etc.

51
Attack fundamentals

• Attack phase (cont.)
• Trojans and Backdoor programs
• By installing a backdoor program or a Trojan, an
  attacker can bypass normal security controls and
  gain privileged unauthorized access to a host.
• A backdoor program can be deployed on a system in
  a variety of different ways. E.g. a malicious
  software engineer can add a backdoor program into
  legitimate software code.
• Backdoor programs might be added for legitimate
  maintenance reasons in the software development
  life cycle, but later forgotten.

52
Attack fundamentals

• Attack phase (cont.)
• Trojans and Backdoor programs (cont.)
• A Trojan is defined as software that is disguised
  as a benign application.
• Remote control Trojans typically listen on a port
  like a genuine application.
• Through this open port, an attacker controls them
  remotely.
• Trojans can be used to perform any number of
  functions on the host.

53
Attack fundamentals

• Attack phase (cont.)
• Trojans and Backdoor programs (cont.)
• Some Trojans include portscanning and DoS
  features.
• Others can take screen and Webcam captures and
  send them back to the attacker.
• Trojans and backdoor programs have traditionally
  listened on a TCP or UDP port, making it easy to
  detect them and undertake countermeasures.

54
Attack fundamentals

• Attacks phase (cont.)
• Trojans and Backdoor programs (cont.)
• Because of that, Trojans have evolved so they no
  longer need to listen on a TCP or UDP port.
• Instead, they listen for a specific sequence of
  events before processing commands.
• It may be a combination of predetermined source
  addresses, TCP header information, or false
  destination ports that do not match to a
  listening service.

55
Attack fundamentals

• Attack phase (cont.)
• Misuse of Legitimate Access
• Attackers often attempt to gain unauthorized use
  of legitimate accounts by getting authentication
  information.
• This can be performed by means of technical
  and/or social engineering methods.
• IDS, especially the anomaly detection ones, may
  be used to detect such activities.

56
Attack fundamentals

• Post-attack phase
• After an attacker has successfully penetrated
  into a host on the targeted network, further
  actions he/she will take are in general
  unpredictable.
• In this phase, the attacker carries out his/her
  plan and makes use of information resources as
  he/she considers appropriate.

57
Attack fundamentals

• Post-attack phase
• Possible post-attack activities
• Covering tracks
• Penetrating deeper into network infrastructure
• Using the host to attack other networks
• Gathering, manipulating, or destroying data
• Handing over the host to a friend or a hacker
  group
• Walking or running away without doing anything.