Computer Security: Principles and Practice

1
Computer Security Principles and Practice
Chapter 6 Intrusion Detection

• by William Stallings and Lawrie Brown
• Lecture slides Some by Lawrie Brown, some by
  Susan Lincke

2
Objectives

• The student should be able to
• Define how a signature-based, anomaly-based, and
  rule-based IDS works.
• Define false positives, false negatives, and how
  both affect the sensitivity of an IDS.
• Describe the difference between an IDS and IPS
  and the advantages/disadvantages of each.
• Describe when you would use a host IDS/IPS and/or
  a network IDS/IPS and some advantages of each.
• Describe functions of different Host IDS systems
  System integrity verifiers, statistics monitors,
  deception systems, and configuration auditors.
• Draw the internal configuration of a tap, and
  describe how a switch SPAN port works.
• Describe the three responses that CISCO IDSs can
  support in response to an attack.
• Describe the capabilities of Snort, including its
  features, cost, programmability, configurability,
  and its directory structure.

3
Examples of Intrusion

• remote root compromise
• web server defacement
• guessing / cracking passwords
• copying / viewing sensitive data / databases
• running a packet sniffer
• distributing pirated software
• using an unsecured modem to access net
• impersonating a user to reset password
• using an unattended workstation

4
Security Intrusion Detection

• Security Intrusion
• A security event, or combination of multiple
  security events, that constitutes a security
  incident in which an intruder gains, or attempts
  to gain, access to a system (or system resource)
  without having authorization to do so.
• Intrusion Detection
• A security service that monitors and analyzes
  system events for the purpose of finding, and
  providing real-time or near real-time warning of
  attempts to access system resources in an
  unauthorized manner.
• Intrusion Prevention
• An intrusion detection system that proactively
  acts to counteract a threat directly.

5
Insider Attacks

• among most difficult to detect and prevent
• employees have access systems knowledge
• may be motivated by revenge / entitlement
• when employment terminated
• taking customer data when move to competitor
• IDS / IPS may help but also need
• least privilege, monitor logs, strong
  authentication, termination process to block
  access mirror data

6
Insider Behavior Example

1. create network accounts for themselves and their
   friends
2. access accounts and applications they wouldn't
   normally use for their daily jobs
3. e-mail former and prospective employers
4. conduct furtive instant-messaging chats
5. visit web sites that cater to disgruntled
   employees, such as f'dcompany.com
6. perform large downloads and file copying
7. access the network during off hours.

7
Intrusion Techniques

• objective to gain access or increase privileges
• initial attacks often exploit system or software
  vulnerabilities to execute code to get backdoor
• e.g. buffer overflow
• or to gain protected information
• e.g. password guessing or acquisition

8
Intrusion Detection Systems

• classify intrusion detection/prevention systems
  (IDS / IPS) as
• Host-based IDS/IPS monitor single host activity
• Network-based IDS/IPS monitor network traffic
• logical components
• sensors - collect data
• analyzers - determine if intrusion has occurred
• user interface - manage / direct / view IDS/IPS

9
IDS/IPS Principles

• assume intruder behavior differs from legitimate
  users
• expect overlap as shown
• observe deviations
• from past history
• problems of
• false positives
• false negatives
• must compromise

10
IDS/IPS Principles

• Where to set limit (draw arrow)?
• false positives normal behavior labeled attack
• false negatives attack labeled normal behavior
• must compromise

11
IDS Requirements

• run continually
• be fault tolerant
• resist subversion
• impose a minimal overhead on system (if hids)
• configured according to system security policies
• adapt to changes in systems and users
• scale to monitor large numbers of systems
• provide graceful degradation of service
• allow dynamic reconfiguration

12
Host-Based IDS

• specialized software to monitor system activity
  to detect suspicious behavior
• primary purpose is to detect intrusions, log
  suspicious events, and send alerts
• can detect both external and internal intrusions
• two approaches, often used in combination
• anomaly detection - defines normal/expected
  behavior
• threshold detection
• profile based
• signature detection - defines proper behavior

13
Audit Records

• a fundamental tool for intrusion detection
• two variants
• native audit records - provided by O/S
• always available but may not be optimum
• detection-specific audit records - IDS specific
• additional overhead but specific to IDS task
• often log individual elementary actions

14
Audit Record Contents

• Subject initiator of action
• Action Operation performed login, read, perform
  I/O, execute
• Object Receptor of action file, program
  message, printer,
• Exception-condition Type of exception
• Resource-usage Amount of resources used
• Time-stamp When it occurred

Smith Execute ltlibrarygt Copy.exe 0 CPU0002 11058721678
Smith Write ltlibrarygt mainDB Write-viol Records 0 11058721678
15
Anomaly Detection

• threshold detection
• checks excessive event occurrences over time
• alone a crude and ineffective intruder detector
• must determine both thresholds and time intervals
• profile based
• characterize past behavior of users / groups
• then detect significant deviations
• based on analysis of audit records
• gather metrics counter, gauge, interval timer,
  resource utilization
• analyze mean and standard deviation,
  multivariate, Markov process, time series,
  operational model

16
Login Session Activity
Measure Model Type of Intrusion Detected
Login frequency by date and time Mean and standard deviation Intruders likely to login after normal hours
Frequency of login at different locations Mean and standard deviation Login from place rarely at
Time since last login Operational Break-in at dead account
Elapsed time per session Mean and standard deviation Significant deviations masquerader?
Quantity of output to location Mean and standard deviation Excessive data transmitted could be leakage of sensitive data
Session resource utilization Mean and standard deviation Unusual processor or I/O levels intruder?
Password failures at login Operational Attempted break-in by guessing
17
Command or Program Execution Activity
Measure Model Type of Intrusion Detection
Execution frequency Mean and Standard Deviation Different set of commands used, or privileged commands gt break-in
Program resource utilization Mean and Standard Deviation High values may result from virus, Trojan horse, worm
Execution denials Operations model Penetration attempt by user to seeks higher privileges
18
File Access Activity
Measure Model Type of Intrusion Detected
Read, write, create, delete frequency Mean and Standard deviation Abnormalities for access may signify masquerading or browsing
Records read, written Mean and standard deviation Attempt to obtain sensitive data by inference and aggregation
Failure count for read, write, create, delete Operational May detect users who persistently attempt to access unauthorized files
19
Signature Detection

• observe events on system and applying a set of
  rules to decide if intruder
• approaches
• rule-based anomaly detection
• analyze historical audit records for expected
  behavior, then match with current behavior
• rule-based penetration identification
• rules identify known penetrations / weaknesses
• often by analyzing attack scripts from Internet
• supplemented with rules from security experts

20
Rule based penetration examples

• Users should not read files in other users
  personal directories
• Users must not write to others files
• Users who log in after hours often access the
  same files they used earlier
• Users do not generally open disk devices directly
  but rely on higher-level operating system
  utilities
• Users should not be logged in more than once to
  the same system
• Users do not make copies of system programs

21
Signature- versus Anomaly-Based IDS

• Signature-based Looks for attack signatures in
  packets or logs
• Retains signatures in a signature database or
  rule set(s).
• Can create custom rules sometimes with
  wildcards
• Benefits Limitations
• Benefit Can name specific attacks, allowing for
  appropriate reaction
• Limitations
• More signatures translates into lower transaction
  rates
• Slight deviations from the signature wont be
  caught e.g., blank vs. 20
• New attacks cannot be caught

22
Anomaly-based or Heuristic Looks for unexpected
behavior

• Baseline-based Intrusion Detection Expected
  performance is known
• Thresholds are established differentiating normal
  vs. abnormal behavior
• E.g., Rate of SYN or Ping packets change
• E.g., Monitoring processor usage at night
• E.g., Packet is not formatted as expected
• Rule-based Intrusion Detection Certain actions
  are not allowed
• E.g., Log accesses to password file
• Benefits Limitations
• Benefit Quick at recognizing new large-scale
  worm attacks
• Limitation Cannot name the attack Cannot
  detect attacks near norm

23
System Sensitivity

• False positive Innocent action logged as an
  attack
• False negative Attack not recognized
• Sensitivity of the system The degree of False
  positives to False negatives
• Administrator must achieve the right balance of
  sensitivity

24
Types of NIDS, NIPS

• Passive mode or IDS Monitors network traffic
  only
• Does not affect performance of network traffic
• Can be incapable of sending on network
• Active mode or IPS Performs inline processing
  of packets
• Causes penalty on performance problematic for
  very busy networks
• Must be capable of sending on network

25
IDS versus IPS

• Intrusion Detection System (IDS) Sniffs and
  reports possible violations
• Difference between Firewall/IDS Can name attack
• Intrusion Prevention System (IPS) Reports
  violations and prevents attacks from occurring
• Does inline processing, similar to a Firewall
  drop packets, reset connections, route suspicious
  traffic for analysis
• Problems Delays in processing bottleneck
• Since IDS/IPS have high rate of False Positives,
  they require extensive optimization

26
What an IDS Cannot Detect

• Passwords not changed from default
• File transfer of confidential files (unless
  specifically programmed)
• Social engineering techniques
• Decipher encrypted messages on a network

Bus or other broadcast configuration
Star Configuration
27
NIDS/NIPS Detects
Attacks can be categorized as
Single Packet Attacks Multiple Packet Attacks
Context (Header) Attacks Ping of Death Packet gt buffer size 65535 Land.c Attack Source Destination IP Address is same Port Sweep TCP Hijack SYN Flood Attack
Content (Data) Attacks DNS Attack Incorrect data Character Mode Attacks Bypass ASCII signatures to send Unicode or hexadecimal signatures
28
Comparison of Host versus Network-Based IDS/IPS
Quality Network-Based IDS Host-Based IDS
Cost of Ownership One strategically-placed IDS serves community of computers. A separate NIDS computer must be purchased. Each host requires its own IDS software package
Strengths Extensive protocol-based attack patterns are supported. Cannot check all encrypted packets. Monitors important system components such as key DLLs and the NT Registry. Monitors user file access activity. Some protocol attack patterns are supported for stack-based HIDS. Operates after decryption process can check all encrypted packets.
Evidence Removal Attackers cannot remove evidence once captured Attackers can change logs.
Real-Time Detection Response Alarms occur as traffic is captured real time Alarm occurs as log is monitored in near-real time. Protocol alarms occur in real time.
Malicious Intent Detection Placing an NIDS outside the firewall can inform you of attacks that did not succeed
Complement Verification Can be used to verify proper functioning of firewall. False positives will occur Can compliment other systems. False positives are less likely to occur.
Operating System Operating System independent Specific to one O.S. and requires O.S. to be functioning properly not compromised.
29
(No Transcript)
30
How to Attach an IDS

• Switch Central router routes traffic only to
  destination node.
• High throughput since the simultaneous
  transmissions can occur between different pairs.
• Switch Port Analyzer (SPAN) allows a network
  sniffer to monitor TX/RX/both transmissions
  between 2 (or sometimes more) nodes (commonly
  switch router)
• Disadvantage Switch only has one SPAN port,
  switch performance degradation
• Advantage No extra equipment, easy to install

• Hub repeats traffic to all nodes
• Disadvantage Throughput limitations since all
  nodes share same physical link cannot implement
  duplex transmission between switch/router
• Advantage Easy to install and configure
• Tap A T or listening device forwards traffic
  to the NIDS
• Disadvantage Usually monitors in one direction
  only, dictates stealth configuration
• Advantage Fault tolerant on power failure, no
  throughput degradation, protects IDS from attacks

31
Distributed Host-Based IDS
32
Distributed Host-Based IDS
33
Network-Based IDS

• network-based IDS (NIDS)
• monitor traffic at selected points on a network
• in (near) real time to detect intrusion patterns
• may examine network, transport and/or application
  level protocol activity directed toward systems
• comprises a number of sensors
• inline (possibly as part of other net device)
• passive (monitors copy of traffic)

34
NIDS Sensor Deployment
35
Intrusion Detection Techniques

• signature detection
• at application, transport, network layers
  unexpected application services, policy
  violations
• anomaly detection
• of denial of service attacks, scanning, worms
• when potential violation detected sensor sends an
  alert and logs information
• used by analysis module to refine intrusion
  detection parameters and algorithms
• by security admin to improve protection

36
Distributed Adaptive Intrusion Detection
37
Intrusion Detection Exchange Format
38
Honeypots

• are decoy systems
• filled with fabricated info
• instrumented with monitors / event loggers
• divert and hold attacker to collect activity info
• without exposing production systems
• initially were single systems
• more recently are/emulate entire networks

39
Honeypot Looks Real

• System with NO OTHER USERS or USED APPLICATIONS
  LOG all access attempts
• Honeypots are high maintenance, high risk
• Honeypots are not legally a form of entrapment
• Types may include
• Port Monitor Sockets-based program that listens
  for connections.
• Deception System Pretends it is a real
  application by sending valid replies (e.g. mail)
• Multi-protocol Deception System Pretends to
  support multiple applications
• Full network system plus IDS

40
Honeypots

• Advantages
• Watch and learn from attackers to strengthen
  defense
• Lure an attacker to a safe place to identify and
  stop the attacker
• Keep attackers busy in a safe environment for
  hours

• Disadvantages
• A hacked honeypot can serve as launching pad into
  rest of network
• Honeypots must be maintained and monitored

41
Honeypot Deployment
42
SNORT

• lightweight IDS
• real-time packet capture and rule analysis
• passive or inline (IPS)

43
SNORT Rules

• use a simple, flexible rule definition language
• with fixed header and zero or more options
• header includes action, protocol, source IP,
  source port, direction, dest IP, dest port
• many options
• example rule to detect TCP SYN-FIN attack
• Alert tcp EXTERNAL_NET any -gt HOME_NET any \
• (msg "SCAN SYN FIN" flags SF, 12 \
• reference arachnids, 198 classtype
  attempted-recon)

44
SNORT NIDS-gtNIPS

• Snort Format
• cmd protocol sourceIP sourcePort
  direction destIP destPort
  (ltkeywordgtltvaluegt ltkeywordgtltvaluegt)

• Cmdalert pass log activate dynamic
• logpacket text only,
• alert writes to alert file
• Protocolip udp icmp tcp arp, igrp, gre, ospf,
  rip,
• Port 1024 or 10246000
• Direction -gt or ltgt

45
Snort Command Example

• Snort Format
• cmd protocol sourceIP sourcePort
  direction destIP destPort
  (ltkeywordgtltvaluegt ltkeywordgtltvaluegt)
• Example
• var HTTP_SERVERS 192.168.1.50/32
• var HOME_NET 192.168.1.0/24
• var EXTERNAL_NET !HOME_NET
• alert tcp EXTERNAL_NET any -gt HTTP_SERVERS 80
  (msgWEB-IIS cmd.exe access flags A
  contentcmd.exe nocase classtypeweb_applicati
  on-attack)

46
Snort Keywords

• Keywords can include
• dsize maximum packet size larger sizes indicate
  problems.
• ttl IP time to live value.
• fragbits RReserved, DDont Fragment, MMore
  Fragment.
• ipopts IP options lsrr loose source routing
  ssrrstrict source routing.
• flags SSyn, AAck, FFin, RReset, and/or
  more
• itype ICMP packet type
• content lttext or hexadecimal data to search forgt
• uricontent Content of the URL (e.g., /bin/ps)
• offset the position in the packet payload to
  begin searching for a match.
• nocase Deactivates case-sensitivity
• sid signature ID describes more about the
  signature
• ip_proto protocol after IP header (e.g., DNS53)
• rev rule revision number
• logto file to write log to.

47
Snort IPS Additional Commands

• New commands used for inline configurations
• drop Alert and drop the packet
• sdrop Drop the packet but dont trigger the
  alert
• E.g. sdrop udp EXTERNAL_NET any

48
Snort IPS Added Keywords

• respltresp_keywordgt,resp_keyword
• ltresp_keywordgt rst_snd, rst_rcv, rst_all,
  icmp_net, icmp_host, icmp_port, icmp_all
• Sends RST to packet sender/recipient/both Sends
  host/port/network Unreachable
• reactltreact_keywordgt,react_keyword
• ltreact_keywordgt block, warn, msg, proxy
• Used with HTTP-based attacks.
• E.g. alert tcp any any ltgt HOME_NET 80 (content
  naughtyContent msg Not allowed! react
  block,msg)
• replace text to replace content with
• Allows replacement of potentially dangerous text
  with safe text cmd.exe-gtnocmd.exe

49
CISCO Secure Intrusion Detection

• Management console Must be in a secure location
• May alarm, log, page, and/or email administrator
• Allows configuration of necessary signatures

50
CISCO Secure Intrusion Detection

• Sensor Response to Attack One or more of
• Shun Dynamically rewrites the access lists to
  disallow attackers access to internal networks
• Can change access lists on firewall or router.
• Log Save alarm information (at sensor and/or
  management console)
• TCP Reset Send a TCP reset to terminate the
  connection, after initial attack packets have
  reached victim.

51
Summary

• introduced intruders intrusion detection
• hackers, criminals, insiders
• intrusion detection approaches
• host-based (single and distributed)
• network
• distributed adaptive
• exchange format
• honeypots
• SNORT example