Network Security and Intrusion Detection - PowerPoint PPT Presentation


PPT – Network Security and Intrusion Detection PowerPoint presentation | free to download - id: f1f4-ZGM3Y


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Network Security and Intrusion Detection


AT&T. Intrusion Detection Systems, IDS ... IP spoofing packets are not uniquely att-ributable to the origin. Costly to stop ... – PowerPoint PPT presentation

Number of Views:249
Avg rating:3.0/5.0
Slides: 41
Provided by: michah


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Network Security and Intrusion Detection

Network SecurityandIntrusion Detection
  • Survey of the Art and Practice
  • Dr. Michah Lerner
  • ATT Labs
  • 15-August-2000

  • Model
  • Principles
  • Assumptions
  • Methods
  • Products

No silver bullets
Published sources only
Note this talk describes some attack models. If
youd like try them out, dont!
Intrusion Detection Systems, IDS
  • Identified by Dorothy Denning in 1987 IEEE
    Software Engineering
  • Protect systems and networks from threats,
    vulnerabilities, and intrusions
  • Art includes
  • Bro A System for Detecting Network Intruders in
    Real Time (Vern Paxon)
  • JiNao Protect link state routing Felix Wu
  • Rule-based expert system, statistical analysis,
    protocol analysis, OSPF MIB, distributed
    programming interface (DPI)
  • Vendors include
  • lists 171 security products
  • Axent (NetProwler, and Tivoli modules), ISS,
    Network Associates, Cisco

A Story
  • Jane the Dandelion wine merchant
  • Running SSL to protect her eCommerce site
  • Coalition against Dandelion Wine
  • Quietly launches a chosen ciphertext attack
    against her SSL server (Daniel Bleichenbacher,
    LNCS 1462, 1998)
  • Exploit weakness in SSL V.3.0
  • Generate many authentication requests
  • SSL reports which ones were incorrectly formatted
  • The Coalition obtained her master secret!
  • They tested about one million chosen
    ciphertexts on her server!
  • She just thought that SSL was slow!
  • IDS would have found incomplete SSL
    handshakes, and probably foiled the intruder

  • Assumptions
  • RFC 1636 encryption essential to security
  • Open networks violate this assumption
  • Encryption should protect control information, as
    well as contents
  • See section 7.3 of the RFC
  • In attack from Vi ? net ? Vj assume only one of
    Vi, Vj is the attacker
  • DDOS violates this assumption
  • Assumptions are sometimes wrong
  • Replay attack can masquerade with encrypted data
  • Distributed attacks can leverage multiple
  • Encryption can be broken

Concept Collection Analysis
CERN European Laboratory for Particle Physics
Birth Place of The Web Browser
  • Every time something suspicious is detected, the
    sessions security weight is increased
  • When the security weight gets higher than a
    given threshold, detailed monitoring starts
  • Encryption was, until recently, not allowed by
    the French law

? Not much used for first break-in discovery, but
invaluable for security incident analysis and
follow-up it answers typical questions like
? When did the first break-in happen? ? Which
other systems may have been attacked? ?
Which other services on the attacked system
may have been compromised?
Security officer
Suspicious behavior
Intrusion Examples
  • Denial of Service
  • Hijacking of session or router
  • Theft
  • Resources bandwidth theft or blockage
  • Identity
  • Information

Intrusion at any layer or sliceDifficult and
Complex Problem
Mobsters101 How to Intrude1
  • Resources
  • Exhaust, overload or consume
  • Control Functions
  • Undermine direct control protocols
  • Assert authentication or authorization contrary
    to policy
  • Block authentication or authorization
  • Undermine indirect control
  • Subvert timing or other policing methods
  • Transport Functions
  • Transmit forged content
  • Modify, Read or Block content
  • Many attackers use tools like COPS or SATAN,
    which automate the process of checking for known
    bugs in remote network systems. These freely
    available tools, as well as commercial tools such
    as ISSs Internet Scanner, are designed to help
    systems administrators audit their own networks,
    but are equally useful to an attacker.
  • See http//

Intrusion Definition
  • Intrusion
  • Violation of the network policy, even where the
    policy is not completely stated
  • Policy
  • Allocation, usage and return of resources
  • Possibly multiple policies active on a network
  • Varied requirements of business, administration
    or trust
  • Resources
  • Finite
  • Independent
  • Layered
  • Protocol-driven
  • Protocols
  • Efficient, not perfect
  • IP spoofing packets are not uniquely
    att-ributable to the origin
  • Costly to stop

Prevention Policies Assurances
  • Violations of policy may define intrusion
  • Except
  • Seldom have such a precise policy in IP
  • The policy could be buggy
  • New applications could violate the policy
  • Cost is prohibitive for many applications
  • Can plug anything into the Internet not just
    safe applications. IEEE 802.3 (Ethernet) is
  • An alternative to formal policy is assurances
  • General policy, but less rigorous
  • Availability connections, bandwidth, low delay
  • Integrity privacy, reliability, and low

  • Assurances are threatened by
  • Misuse specific attack behavior
  • Based on expert knowledge of patterns associated
    with attack
  • Patterns of misuse defined by experts, or by
    machine learning should not occur
  • Examples
  • Mismatched SYN/ACK
  • Same authenticated user from multiple locations?
  • Multiple failed authentications? From different
  • Problem only recognizes anticipated threats (but
    can combine several threats that might otherwise
    be missed)
  • Anomalous use possible attack
  • Recognize increased risk to network
  • Compare actual with expected behavior
  • Load rising atypically?

How to Protect the Assurances?
  • Redundancy
  • Makes it harder to corrupt
  • Make it easier to identify corruption
  • May make it easier to locate the corruption
  • Explicit redundancy add to network or data
  • Tags and attributes
  • Input/output validation
  • Implicit redundancy already in the network
  • Anonymous timing
  • Private network attributes
  • Content privacy and easily evaded
  • Per-protocol or general properties
  • State-machine compliance?
  • Frame-format?

Two Keys to Protection
  • Prevention
  • Define multiple layers
  • Define behavior of each layer, including
  • Enforce each behavior
  • Prohibit actions that may compromise the behavior
  • Examples
  • IP DDOS does not affect ATM integrity
  • Replay of short-lifetime HTTP cookies is
  • Link-layer marking
  • Ingress/egress filtering
  • End-to-end coordination
  • Detection
  • Identify correct behavior
  • Reinforce or augment
  • Redundancy
  • Format (protocol)
  • Augmentation (tags)
  • Validations
  • Characterize activities
  • Recognize anomalies
  • Unusual transit duration, route, or augmentation
  • Item invalid packet header
  • Aggregate bad path or invalid protocol sequence
  • Honeypot traces

Explicit Redundancy Protection
  • Content transformation
  • SSL
  • Cookies
  • Protocol hardening against adversarial errors
  • IPSec
  • Invalid session properties (i.e. stale keys,
    invalid context or content) may indicate attack
  • Packet augmentation
  • Security labels
  • Properties inherited from ingress
  • Requirements incumbent upon egress
  • Min/max trust and validation of information flow1
  • Management at Ingress/Egress
  • Interaction with authentication and multiple

Implicit Redundancy Detection
  • Packet
  • Well-formed packets (protocol-compliant)
  • Well-defined packets (service behavior)
  • Source, destination, format
  • May validate endpoints and actions
  • Traffic profile
  • Acquire by observation of usage
  • Statistical model distinctive characteristics
    (packet size, timing) not on connection
  • Resists encryption, and preserves privacy
  • Database of representative samples
  • Does the traffic profile fit the
    source/destination profiles?

General Technique
  • Collect traffic and audit information
  • Protocol analysis
  • Various sensors
  • Content-independent sensors may work even on
    encrypted data
  • State-based sensors evaluate the trustworthiness
    of connection path
  • State-free sensors operate without change to
    firewall or network-element
  • Compute patterns of misuse or abuse
  • Recognize patterns of a possible attack
  • Previously observed or predicted attack patterns
  • Uncharacteristic changes in predicted performance

Information to Collect
  • Audit information
  • Management information bases (MIBS) and logs
  • After-the-fact analysis of traffic artifacts
  • Historical information
  • Recognition of previously used contents, such as
    serial numbers, someone elses password, etc.
  • Strength of evidence follows the strength of the
    content source
  • Distributed
  • Exchange data on suspected intrusions (IETF IDWG)
  • Information from IP authentication systems

Information to Compute
  • Attack signatures
  • Hard problem needs attack models to organize
  • Attacks are often distributed requires
  • ISS publishes about 350 Real Secure Signatures at
  • Backdoors
  • Denial of Service
  • Distributed Denial of Service
  • OS Sensor
  • Suspicious Activity
  • Unauthorized Access Attempts
  • Only three detect RIP attacks on routing
  • None of the published signatures mention
    streaming, VoIP, MPEG, Quality of Service, or
    attacks on OSPF

Detailed Taxonomy
  • Knowledge-based
  • Expert systems Signature analysis
  • Petri nets State-transition analysis
  • Behavior-based
  • Statistics Expert systems
  • Neural networks User Intention model

Source IBM RZ 3176 ( 93222) 10/25/99 Computer
Science/Mathematics (23 pages). A ReviseTaxonomy
for Intrusion-Detection Systems by Hervé Debar,
Marc Dacier, Andreas Wespi
Information Collection Tools
  • Tcpdump
  • Bro
  • NetMon
  • Snort
  • All canuse rules

Protocol Monitoring
  • Validate Appropriate Traffic Flows
  • Multiple granularities of description
  • Recognize change from the behavior
  • Activation/deactivation of connections
  • Correlation/evaluation of connection attributes
  • How
  • Protocol scrubbing InfoComm 2000
  • State machines for correct protocol flow
  • Error states for erroneous traffic
  • Pattern recognition
  • Simulation/validation of expected behaviors
  • Does the expected response follow, or something

ASAX and Russel
(RUle-baSed Sequence Evaluation Language)
  • State full event detection
  • Correlation of events across multiple hosts
  • consolidate intrusion evidence from several
    scattered sources and correlate them
    intelligently at a central location.

  • SYN-Flood
  • IP spoof
  • Port Scan
  • Host Scan
  • etc.

Source Aziz
Russell -- ASX
What if Alert?
  • Block offending traffic sources
  • Terminate suspicious processes
  • Coordinate with multiple domains
  • Intruder Detection and Isolation Protocol (IDIP)
  • Trace
  • Report
  • Directive (discovery coordinator)

Products(Names changing all the time)
  • Boundary controllers
  • NAI Gauntlet, ARGuE, MPOG, etc.
  • Secure Computing Sidewinder
  • Detectors
  • Axent, Cisco
  • SRI Emerald expert-system
  • NAI CyberCop
  • ISS RealSecure
  • NFR
  • Event-based traffic analysis, pattern matching,
    aggregation and adaptation
  • SUNY, BRO, CIDF, IDIAN, DPF packet filter

Vendors and Products Tivoli Compatibility
Source RZ 3253 ( 93299) 06/26/00 Computer
Science 45 pages Integration of Host-based
Intrusion Detection Systems into the Tivoli
Enterprise Console, Christian Gigandet (IBM
Research Zurich Research Laboratory)
Cisco Intrusion Detection System NetSonar
(Scanner) NetRanger (Monitor)
  • The Cisco Secure IDS includes two components
    Sensor (renamed NetSonar) and Director (renamed
  • Cisco Secure IDS Sensors, which are high-speed
    network "appliances," analyze the content and
    context of individual packets to determine if
    traffic is authorized.

(No Transcript)
  • RealSecure
  • Network engine resides on PC, monitors network
    transmissions for signs of abuse and attack
  • About 350 attack signatures currently published

APIs solve top 4 problems
  • ID module embedded in router/switch/firewall
  • Evaluates all incoming and outgoing traffic for
    intrusions across all ports
  • Switching. Monitors heavily routed or switched
    networks at the most heavily-trafficked network
  • Speed. May also address speed issues by embedding
    ID in higher-performance hardware.
  • ID module running on adapter card
  • Processor provides most of the analysis.
  • Speed. Hardware assist with packet classification
    provides wire-speed intrusion detection.
  • Security is painful. Shrink-wrap ID engine --
    easy to install, easy to manage with relatively
    low cost.
  • ID module as an ASIC
  • ID as a true design component. Installed on
    networking backplane, e.g. multi-gigabit switch,
    Probably only way to handle
  • Switching. Embedded in high-performance network
    device allows access to all packets at single
  • Speed. Wire-speed intrusion detection.
  • ID module embedded in host protocol stack
  • Attached to protocol stack above encryption
  • Encryption. Allows intrusion detection to exist
    in the presence of encrypted traffic while still
    providing adequate value.

CyberSafe Centrax
  • Maintain integrity
  • Per layer
  • Per slice (protocol)
  • Validate packets
  • Ingress/egress counters
  • Squelch attack sources that do not comply with
    reasonable usage
  • Test carefully to ensure not a new application
  • Streaming media is not a UDP attack!
  • Measure and understand flow properties
  • Recognize statistically significant variation
    from these path properties

Backup Slides
A bit more formality A glimpse at some academic
  • Assumptions
  • RFC 1636 encryption essential to security
  • Open networks violate this assumption
  • Encryption should protect control information, as
    well as contents
  • In attack from Vi ? net ? Vj assume only one of
    Vi, Vj is the attacker
  • DDOS violates this assumption
  • Assumptions are sometimes wrong
  • Replay attack can masquerade with encrypted data
  • Distributed attacks can leverage multiple
  • Encryption can be broken

General Network Model(circumscribes problem
  • G (V, E)
  • Path Vin, Ej, Vj, Ek, Vk, El,
  • Path consists of vertices and edges
  • Edges E
  • Propagate signal
  • Vertices V
  • Receive signal
  • Compute output
  • Emit signal

Network Model
  • Edges (links)
  • Signal propagation
  • Impairments due to random noise
  • Redundancy manages noise, fade or analog error
  • Detect and correct by protocols through algebraic
  • Vertices (routers/switches)
  • Aggregate bits into packet
  • Classify and enqueue packet
  • Packet-type and priority (UDP? TCP? ICMP? RSVP?)
  • Loss due to load variation and queue size
  • Detect and correct by redundant payload or
  • Dequeue packet
  • Data packet compute output as f(packet, control)
  • Control packet modify control as f(packet,

Vertex Control function f(packet,control)
  • Data packet
  • Pure IP f(packet, control) is nearly the
    identity function
  • modify TTL, next-hop, etc
  • Proxy or active protocol f(packet, control) not
  • Augment packets in more complex custom ways
  • Control packets
  • Routing static or dynamic
  • Resource modify resources, i.e. queues,
  • Behavior modify function, i.e. classifier,
    marking, etc.

Monitoring Entity Signatures
  • Entity output descriptions
  • Compute usage signatures (local and complete)
  • Entity to neighbors
  • Entity to endpoints
  • Entity input descriptions
  • Receivers compute signature of received data
  • Comparisons
  • Entities exchange signatures (or log centrally)
  • Anomaly detected from signature mismatches

JiNao Protect Link-State Routing
Finite state machine with timing analysis,
verifies Validity of OSPF actions, and guards
against any intrusion even one with valid
security credentials