Intrusion Detection

1
Intrusion Detection

• Dr. James P. Early
• CS526 Lecture
• November 8, 2005

2
Lecture Outline

• Terminology
• History
• Challenges

3
What is an intrusion?

• Any set of actions that attempt to compromise the
  confidentiality, integrity, or availability of a
  computer resource
• Term is overloaded
• Trying to detect a policy violation

4
Types of Violations

• Attack
• Attempts to exploit a vulnerability
• Ex denial of service, privilege escalation
• Intrusion
• Masquerading as another legitimate user
• Misuse
• User abuses privileges
• Often called the insider threat

5
Differentiating ID Systems

• Monitoring strategy
• Data sources
• Analysis Type
• Timing
• Detection Goals
• Control

6
Monitoring Strategy

• Host
• Internal computer sources
• Ex OS audit and system logs
• Network
• Packets via sniffing
• Application
• Application event streams and logs
• Target-based
• Monitor object for changes
• Ex Tripwire

7
Analysis Type

• Misuse detection
• Built with knowledge of bad behaviors
• Collection of signatures
• Examine event stream for signature match
• Anomaly detection
• Built with knowledge of normal behaviors
• Examine event stream for deviations from normal

8
Timing

• Batch/interval
• Analysis is done on bulk data (files)
• Analysis is periodic
• Real-time
• Analysis tries to keep pace with events
• Results can be used to take timely action

9
Detection Goals

• Accountability
• Capability to attribute an action to the
  responsible party
• Very challenging in networked environments
• Response
• Record result to a log
• Trigger alarm
• Adapter the system
• Kill a process update a firewall rule

10
Control

• Centralized
• Central repository for data collection/analysis
• Ex Tripwire (host) and SNORT (network)
• Agent-based
• Distributed collection using agents or sensors
• Alerts can be sent to central collection point
• Ex ESP (host) and AAFID (network)

11
History

• 1970s - Observation by administrators
• When an account is used
• When/how much a resource is used
• Early 1980s Usage models
• First proposed by Anderson (1980)
• Based on accounting logs
• Login frequency, volume data processed, etc.
• Batch processing not real time

12
Andersons Threat Matrix
13
History

• Late 1980s Real-time Intrusion Detection
• Principles formalized by D. Denning (from
  Purdue!)
• Created the Intrusion Detection Expert System
  (IDES)
• Hybrid of anomaly detection and an expert system
• Used adaptive statistical profiles and policy
  rules
• Many more followed
• Haystack, MIDAS, NADIR, NSM, Wisdom and Sense

14
History

• 1990s
• Increased attention on network-based systems
• GrIDS, EMERALD
• Introduction of machine learning and data mining
  techniques
• MADAMID (Mining Audit Data for Automated Models
  for Intrusion Detection)
• ADAM (Audit Data Analysis and Mining)

15
Challenge Data Sources

• Are we collecting the right information?
• Does it permit identification of violations?
• How much information is enough?
• Where to collect?
• Host versus network?
• Format for interoperability?
• IDMEF XML-based message format (2004)

16
System Features

• Accounting information
• Login attempts, time, CPU used
• Resources accessed
• Sequences of system calls
• Hofmeyr (1998)
• Sequences of user commands
• Lane (1998)
• Mouse movements
• Pusara (2003)

17
Network Features

• Packet header values
• Mahoney (2002)
• TCP Sessions
• Lee (2002)
• Behavioral features
• Early (2005)

18
The Evasion Problem

• Location can make IDS vulnerable
• Overload monitor with events
• Slow processing
• Overload disk storage
• DoS attacks
• Ptacek and Newsham (1998)

Monitor
Victim
Dropped by network
19
Challenge Analysis Type

• Misuse detection
• Limited by available signatures
• Cant detect new attacks
• Must be updated frequently
• Anomaly detection
• Requires representative normal data
• Requires attack-free data
• Some systems combine approaches

20
Challenge Timing

• Time to detect
• How many signatures can be checked?
• How long to verify model compliance?
• Is there time to react?
• Violations within idle interval
• A file modification between Tripwire runs

21
Challenge Control

• Centralized
• Sufficient processing resources
• Protection from attack
• Agent-based
• Secure communication
• Efficiency
• Does the agent make reasonable processing
  demands?
• Subversion

22
Causes of Security Problems

• System design and development
• Software platform buffer overflows, stack
  smashing
• Inadequate development process / quality
  assurance
• Errors/bugs
• System management
• Failure to create adequate policies
• Failure to maintain (patches, etc.)
• Trust allocation
• Protocols with inadequate authentication
• Faulty cryptographic protocols
• Failure to create adequate policies

23
Defining Policy

• Consider this example
• A hospital deploys a database system for patient
  records. The system consists of a centralized DB
  server accessed by client systems in the
  hospital. Clients access the information through
  a network of connected PCs and via wireless PDAs
• What sorts of policy statements can we make about
  the hardware? Software? Users?

24
Defining Policy

• Possible statements
• The DB server software will be kept up to date
• Unused network services (ports) on the DB server
  will be disabled
• Wireless access will employ strong cryptographic
  protocols
• Users are prohibited from examining records of
  patients not in their care
• Machine readable policy is very hard problem
• Particularly for misfeasance (i.e. insiders)

25
Performance Issues

• False positive rates
• Labeling a benign event as an attack
• Particularly troublesome for anomaly detection
  systems
• Dominate IDS performance
• Base Rate Fallacy, Axelsson (1998)
• False negative rates
• Failure to detect an attack event
• Data volume
• Partitioning / filtering event streams

26
Honeypots and Honeynets

• Real or virtual system
• Any activity is an attack
• Entice attackers to break in
• Observe actions and tool usage
• Record all activities
• Use information to develop stronger defenses

27
Research Directions

• Policy derivation/validation
• Theorem provers
• Worm propagation
• Infrastructure protection
• Routing and DNS tables
• Feature extraction
• Library interposition (Kuperman 2004)
• Network protocols (Early 2005)

28
Questions?
29
References

• Intrusion Detection, Rebecca Bace, Macmillan
  Technical Publishing, 2000
• CERIAS
• http//www.cerias.purdue.edu/tools_and_resources/h
  otlist/
• Phillip Chan
• http//www.cs.fit.edu/pkc/id/related/