Transcript lemonnier.se

Design Lines for a Long
Term Competitive IDS
Erwan Lemonnier
KTH-IT / Defcom
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Thesis’s subject:
An analysis of IDSs difficulties and how to solve them.
Two approaches are explored:
 Designing efficient filters
 Improving IDS architecture (MIDS)
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Plan of Presentation
 Introduction to IDSs
 IDS challenges
 solution 1: Efficient filter design
 solution 2: MIDS, an alternative IDS architecture
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Introduction to IDSs
IDSs are programs monitoring a computer system (network, host) to
detect intrusion attempts.
Typically made of a sensor, some filters, an alert-flow and a
monitoring center.
Monitoring
Center
Alert-flow
filter
filter
filter
filter
Filter
SENSOR API
SENSOR
Sensor
Monitored Data
Host / Network
Monitored System
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Sensors:
host based / network based
Filters: small programs analyzing sensor data to
detect intrusions.
Detection Strategies:
 Signature
Pratical Usage
 Anomaly detection
(protocol anomaly)
Attaques
Protocol Standard
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
IDS Challenges
•
•
•
•
•
Insertion & Evasion
Alert-flow control
Encrypted traffic
Learning from antiviruses
Technical obstacles
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Insertion & Evasion
• Efficient detection theoretically implies knowledge of monitored
system’s state and rules
• Despite standards, systems are implemented differently.
Ex: different TCP/IP stack implementation
=> always make false assumptions on monitored system’s reactions
=> possible to shape the traffic so that the IDS accepts a packet
but not the monitored system (Insertion) or the contrary
(Evasion)
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Alert-flow control challenges
 False positives
Can not be avoided
Increase with traffic
 Hiding attacks




IDS evasion
Alert flood
Slow rate attacks
Distributed attacks
need for intelligent
alert-flow processing
components
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Encrypted Traffic
• Network based IDS can’t monitor encrypted traffic
• Only known solution = decryption proxy
but hard to deploy
ex: https
Network Based
IDS
HTTP/SSL
Client
HTTPS
Decryption
Proxy
clear HTTP
HTTP
Server
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Learning from Antivirus
• Virus/Antivirus similar to Attacks/IDS
similar techniques (signature, anomaly)
probably similar results, but antivirus are more mature
• Evasion race (IDS evasion, polymorphism, etc.)
need for reactive/automated filter updating process
• Anomaly detection effective if used with signatures
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Technical obstacles
• resistance to fragmentation/insertion/evasion
=> efficient TCP/IP stack
• monitoring high rate traffic
=> load balancing
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Solutions ?
•
approach 1:
improving filters
•
approach 2:
alternative IDS architectures
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Efficient filters:
improves detection & alert-flow control
how ?
• mixing signature & anomaly detection
protocol anomaly analysis engine enables
efficient signature matching
• internal caching and filtering of alert-flow
reduces volume of alert-flow
more acurate analysis (corelation)
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Efficient filters: Telnet filter example
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Efficient filters:
TCP filter example
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Alternative IDS structure
IDSs are alert-flow management systems.
Focus on:
• multiplying alert sources
• merging alert-flows from different sources
• processing intelligently the alert-flow
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Suggested Architecture: Multi IDS
IDS
Host / Network
snort
ISS
alert
flow
merger
Corelation
Engine
Monitoring
Center
NFR
alert-flow
Monitored Data
Monitored System
• multiple IDSs
• host & network based
• multiple filtering techniques
• alert-flow corelation
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Host based sensors:
detect the host side of an attack hidden to network based IDS (evasion,
encryption, etc.)
Multiple different network based sensors:
Many different TCP/IP stack implementation
=> reduce risk of evasion/insertion
Alert-flow merging and processing
Merging alert-flow
Shaping alert-flow to increase its informational load
Alert corelation
Data mining
solve evasion/insertion, alert flow control &
encryption problems
Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08
Remaining problems:
• reactive/automated filter updating process
=> by out-sourcing IDS management to a specialized entity
• alert-flows corelation: we are now working on it !
Conclusion
Intelligent data and alert-flow processing is the future of IDSs.