Intrusion Detection Systems

1
Intrusion Detection Systems

• Presented By Siddharth Maini

2
Contents

• Why IDS?
• What are Intrusion Detection Systems?
• Types of Intrusion Detection Systems
• Network-Based
• Host-Based
• Decoys
• Signature-Based
• Anomaly-Based
• Anomaly-based Vs. Other forms of Intrusion
  Detection Systems
• Behavior Anomaly-based
• Traffic Anomaly-based
• Protocol Anomaly
• Protocol Based Vs. Signature-Based Systems
• Justification
• Deploying IDS
• Conclusion
• References

3
Why IDS?

• Rapid growth of networking technologies has lead
  to an increase in the number of security
  challenges
• To meet such challenges, firewalls other
  controls can impede unauthorized access to the
  resources to some extent
• But they are limited in preventing hackers from
  launching Trojans, Worms many other malicious
  attacks
• So going an extra step against unauthorized
  access lead to the development of IDS

4
What are Intrusion Detection Systems?

• They monitor analyze events that occur on a
  network or system by looking for intrusion
  attempts
• They can respond to attacks in real time
• They work like burglar alarms by alerting
  administrators of any unusual activity
• They provide different functions based on the
  type of network infrastructure
• They also simplify the task of verifying
  categorizing threats in form of reports to the
  executive management

5
(Contd.)

• Companies should invest in an IDS which
• IS NOT difficult to support
• DOES NOT report a large number of false positives
• SHOULD keep up with the network speed
• False positives are attack alerts generated which
  in reality there were not the original attacks
• Due to this an IDS which generates a large number
  of false positives is difficult to manage
• As a result the systems administrator
• Might start ignoring alerts because they look
  like false positives
• This might lead to a compromise of the companys
  network.

6
Types of Intrusion Detection Systems

• Network-Based
• They capture analyze packets that pass on the
  network segment by placing the network interface
  card in promiscuous mode
• Each sensor looks at packets that are carried on
  that network segment to which the sensor is
  connected
• When a predefined condition occurs, administrator
  is notified
• A typical network deployment consists of one or
  more sensors performing local analysis
  reporting attack information back to a
  centralized console
• E.g. reporting DoS attacks
• Host-Based
• Software needs to be loaded directly on the host
  to be monitored
• The software monitors system files, processes,
  and log files for suspicious activity.
• Such as change in file size / attributes
• Creation of new files
• Some host-based IDSs can monitor for changes in
  user privileges.
• Gaining higher-level privileges or setting up new
  user accounts is a common approach used by an
  adversary on the internal network.
• On critical servers, detection of this kind of
  abuse is important and needs to be monitored
  directly on the host.
• Therefore, a combination of host-based and
  network-based detection on large networks is
  recommended
• False positives can occur when an authorized user
  changes the file

7
(Contd.)

• Decoys
• A decoy also called as a honey pot is a system
  that, when installed on a critical network, is
  designed to lure a potential hacker away from
  other more important systems on that network.
• As a result, the attacker grabs the bait, and the
  system administrator is warned of unauthorized
  activity in this zone.
• Decoys are placed throughout corporations and
  financial institutions in conjunction with
  network-based and host-based IDSs.
• Decoys involve designing a system considered to
  be of interest to a potential attacker.
• The system needs to look real, have real data,
  and have enticing enough data to keep the
  attacker around while capturing his moves.
• The skill of the attacker can be learned once
  captured.
• Ideally, once the attacker is in the decoy,
  tracking him or her back to the real source of
  the attack, and then watching and recording
  (digitally stamping) every keystroke, prepares
  you with evidence to capture the attacker and
  take legal action

8
(Contd.)

• Signature-Based Detection
• The use signature-based method that works like an
  antivirus
• They examine the network packets traffic for
  specific patterns of attack.
• Signatures must be developed specifically for the
  attack so the IDS can recognize the attack. These
  systems require large signature databases so that
  every packet can be compared to the database.
• One of the greatest challenges of these systems
  is they must have advance knowledge of the attack
  to be detected.
• As new attacks are discovered every day,
  intrusion detection systems which rely solely on
  this approach will always be out of date.
• The other challenge for these systems is keeping
  up with the speed of the network.
• As network speeds increase, the sensors lack the
  resources to look at every packet, so some
  packets are discarded.
• As a the attacks could easily go unnoticed by the
  IDS.
• In addition, higher speeds can increase the false
  positive rate

9
Anomaly Based Detection

• General Idea
• An anomaly is defined as something different,
  abnormal, peculiar, or not easily classified
• In context of computer security, an anomaly can
  be defined as some action or data that is not
  considered normal for a given system, user, or
  network
• It can include things such as traffic patterns,
  user activity, and application behavior
• The general approach used by anomaly detection is
  that something (i.e., a network, a host, a set of
  users, etc.) is observed and compared against
  expected behavior.
• If there is a variation from the expected, that
  variation is flagged as an anomaly.
• One key difference between anomaly detection and
  other forms of detection is that, rather than
  defining what is not allowed or bad, it defines
  what is allowed or good.

10
Anomaly-based Vs. Other forms of IDS

• Other forms of detection compare observed
  behavior with something known to be bad
• They are also referred to as explicit detection
  systems as they operate well when the number of
  possible bad behaviors is small and does not
  change very rapidly.
• In larger systems with greater variation, these
  conditions do not hold.
• It becomes a very tedious task to maintain the
  list of what is bad

11
Anomaly Detection

• Anomaly detection relies on having some
  definition of allowed behavior
• The definition of what is allowed tends to be
  much shorter.
• It also tends not to require changes as new
  problems are created or discovered
• Anomaly detection systems monitor networks for
  two primary criteria
• Characteristic deviation
• Statistical deviation
• Characteristic deviations tend to be more
  qualitative. For example, User joe123 does not
  normally use transfer files outside of the
  company.
• Statistical deviations tend to be more
  quantitative. For example, This sites ICMP
  traffic never exceeds 15 of capacity.
• Anomaly Detection Approaches
• Behavioral
• Traffic pattern
• Protocol

12
Behavioral anomaly systems

• They look for anomalies in behavior
• They may also cover some statistical criteria
• What type of applications protocols are used at
  various time of day
• Relationships b/w source destination networks
• What types of e-mail attachments are sent
• E.g. Credit card fraud systems to monitor credit
  card usage
• E.g. Detection of excessive use, detection of use
  at unusual hours and detection of changes in
  system calls made by user processes.
• Such systems can be constructed to detect very
  subtle qualitative systems
• But are difficult to design as user behavior
  might change

13
Traffic pattern anomaly systems

• They look for anomalies of network traffic
  patterns
• They are primarily statistical in nature
• E.g. Simple Network Management Systems /
  Denial-of-Service monitoring systems
• Disadvantage is that they are often unable to
  detect subtle quantitative or most qualitative
  anomalies.
• They also present some difficulties in defining a
  reliable baseline upon which to perform the
  statistical analysis.

14
Protocol Anomaly IDS

• It focuses on the content of the network
  communications at the protocol level.
• As many attacks target protocols such as Telnet,
  HTTP, RPC, and SMTP.
• Packets are state fully inspected in the context
  of previous packets transmitted of the same
  conversation.
• As a conversation progresses, it is evaluated by
  a protocol state machine to determine if the
  protocol has been abused in any way.
• The state machines are derived from the RFC
  protocol standards.
• Common misuses of the protocols are also built
  into the state machines to allow for legitimate
  network traffic that deviates from the protocol
  standards.
• Attackers can use certain programming errors
  (buffer overflows) to compromise or damage a
  system.
• These attacks exploit poor programming practices
  and are quite common.
• When protocol rules are modeled directly in the
  sensors, it is easy to identify traffic that
  violates the rules, such as unexpected data,
  extra characters, and invalid characters.

15
Protocol Based Vs. Signature-Based Systems

• Protocol anomaly detection eliminates the need
  for extensive attack-signature databases
• Watching for protocol anomalies is a more
  effective method of attack detection than
  watching for attack signatures as new attack
  methods and exploits are constantly being
  discovered.
• By contrast, new protocols and extensions to
  existing protocols are developed more slowly.
• The rules to ensure that a conversation is
  adhering to the protocol standards are specified
  in the protocol RFCs.
• Given the types of attacks to date, experience
  shows that 80 of attacks violate protocol rules.
• Hackers develop programs that attack poorly
  defined areas of protocol
• Attacks can be spotted easily by
  protocol-anomaly-based IDSs.
• E.g.
• Protocol-anomaly IDSs detected Code Red attacks,
  unlike signature-based systems, which had to wait
  for an update to detect the attacks while leaving
  the firm at risk.
• The Code Red attack violated the HTTP protocol
  because it uses a GET request to post and execute
  malicious code on the victim server.

16
Protocol Based Vs. Signature-Based Systems
17
Justification for Anomaly-Based Systems

• A firm must know the moment it is under attack.
• Between the launch of a new attack and the time
  when the security community becomes aware of it
  (and develops countermeasures) An attacker can
  take advantage of that window of opportunity to
  penetrate existing defenses.
• Threats at this point in their life cycle are
  called zero-day attacks. Because they are not
  publicly known, they are not yet reflected in
  detection signatures and can sidestep existing
  defenses.
• This is a powerful reason for a firm to deploy
  protocol detection.
• On the other hand, Signature-based systems must
  wait for an update before they become able to
  detect the new attacks.

18
Deploying IDS

• Six events that a good IDS should report
• Intrusion attempt
• Distributed Denial-of-Service (DDoS)
• Denial-of-Service (DoS)
• Suspicious Activity
• Scanning port activity
• Failed access attempts
• Protocol Anomaly
• Network event
• Can be any event other than above
• E.g. false positives
• Logging should always be turned ON for all
  attacks especially buffer overflow attacks.
• Intrusion attempts, DDoS and DoS attacks alert as
  HIGH priorities.
• Suspicious activity and protocol anomalies alert
  as MEDIUM priorities.
• Network events alert as LOW priority.

19
Deployment in a Simplified Network

• To protect stop the enterprise IDSes from
  monitoring the traffic at these remote sites.
• Might be used to cover e-business connections to
  partner sites

• This is where the enterprises service for/ to
  access the outside world are kept including web
  servers, ftp servers and email servers
• Allows the IDS to provide information about the
  network traffic and activity that affects these
  outward-facing servers
• Majority of attacks are denial of service, web
  exploits, email attacks

• Provides information about attackers
• This might be used to take legal action against
  them

For the protection of mission critical servers
like ERP, CRM, PDM and accounting systems.

• This is a central chokepoint of aggregate traffic
  that passes into and out of the enterprise
  private network.
• In case only one IDS can be afforded, this is the
  place to put it.
• This position allows the IDS to sound alarm
  incase something has made it through the firewall
  and into the private network.

20
Conclusion

• A mix of different IDS should be used at various
  different locations in the companys enterprise
  server
• Explicit IDS systems should be updated regularly
  with signatures etc.
• IDS should be implemented w.r.t priorities
• In case of Protocol Anomaly-based IDS start with
  a network diagram make a list of all protocols
  that pass ach aggregate point in the network
• Observe the traffic for unknown protocols for
  some time all them to the list of known
  protocols

21
References

• White Paper Comprehensive Intrusion Protection
  Solutions from Symantec
• White Paper Intrusion Detection Systems
  Defining Protocol Anomaly Detection
• SANS GSEC Practical Assignment v. 1.4b by German
  Rincon
• A Justification for Intrusion Detection by Linda
  McCarthy
• http//www.intrusion.com/products/download/Deployi
  ng_and_Tuning_NIDS.pdf
• Principles of Information Security by Michael
  Whitman Herbert J. Mattord