Transcript IDS definition and classification

IDS/IPS Definition and
Classification
Contents
• Overview of IDS/IPS
• Components of an IDS/IPS
• IDS/IPS classification
– By scope of protection
– By detection model
2/57
Overview of IDS/IPS
• Intrusion
– A set of actions aimed at compromising the
security goals (confidentiality, integrity,
availability of a computing/networking
resource)
• Intrusion detection
– The process of identifying and responding to
intrusion activities
• Intrusion prevention
– The process of both detecting intrusion
activities and managing responsive actions
throughout the network.
3/57
Overview of IDS/IPS
• Intrusion detection system (IDS)
– A system that performs automatically the
process of intrusion detection.
• Intrusion prevention system (IPS)
– A system that has an ambition to both detect
intrusions and manage responsive actions.
– Technically, an IPS contains an IDS and
combines it with preventive measures
(firewall, antivirus, vulnerability assessment)
that are often implemented in hardware.
4/57
Overview of IDS/IPS
• Some authors consider an IPS a new
(fourth) generation IDS – a convergence of
firewall and IDS.
• IPS use IDS algorithms to monitor and
drop/allow traffic based on expert analysis.
• The ”firewall” part of an IPS can prevent
malicious traffic from entering/exiting the
network. It can also alert the operator
about such activities.
5/57
Overview of IDS/IPS
• A complete IPS solution usually has the
capability of enforcing traditional static
firewall rules and operator-defined
whitelists and blacklists.
• IPS are very resource intensive. In order
to operate with high performance, they
should be implemented by means of the
best hardware and software technologies.
• IPS hardware often includes ASICs
(Application Specific Integrated Circuits). 6/57
Overview of IDS/IPS
• Principal differences between IDS and
IPS:
– IPS try to block malicious traffic, unlike IDS
that just alert personnel to its presence.
– IPS acts to combine single-point security
solutions (anti-virus, anti-spam, firewall,
IDS, …).
7/57
Overview of IDS/IPS
• Basic assumptions:
– System activities are observable
– Normal and intrusive activities have distinct
evidence – the goal of an IDS/IPS is to detect
the difference.
8/57
Components of an IDS/IPS
System activities are
observable
Incoming
traffic/logs
Data pre-processor
Activity data
Detection
model(s)
Detection algorithm
Alerts
Decision
criteria
Alert filter
Normal and intrusive
activities have distinct
evidence
Action/Report
9/57
Components of an IDS/IPS
• Data pre-processor
– Collects and formats the data to be analyzed by the
detection algorithm.
• Detection algorithm
– Based on the detection model, detects the difference
between ”normal” and intrusive audit records.
• Alert filter
– Based on the decision criteria and the detected
intrusive activities, estimates their severity and alerts
the operator/manages responsive activities (usually
blocking).
10/57
Components of an IDS/IPS
• Incoming traffic/log data
– Packets – headers contain routing information,
content may (and is more and more) also be
important for detecting intrusions.
– Logs – a chronological set of records of system
activity.
11/57
Components of an IDS/IPS
• Incoming traffic/log data (cont.)
– Problems related to data
• Inadequate format for intrusion detection
• Information important for intrusion detection is often
missing (e.g. in log files).
– Thus we need some data pre-processing
• Adjust data format (relatively easy)
• Resolve for missing data (not so easy)
– Insertion of reconstructed values
– Special distances (for unequal-length data patterns).
12/57
Components of an IDS/IPS
• Detection algorithm
– Checks the incoming data for presence of
anomalous content.
– A major detection problem
• There is no sharp limit between “normal” and
“intrusive” – it often depends on the context – hence
statistical analysis of the input data may be useful.
• To determine the context, a lot of memory is needed.
13/57
Components of an IDS/IPS
• Alert filter
– Determines the severity of the detected
intrusive activity.
– A major decision problem
• It is difficult to estimate the severity of threat in real
time.
• Filtering is normally carried out by means of a set
of thresholds (decision criteria). Thresholds should
be carefully set in order to maintain a high level of
security and a high level of system performance at
the same time.
14/57
IDS/IPS classification
• By scope of protection (or by location)
– Host-based IDS
– Network-based IDS
– Application-based IDS
– Target-based IDS
• By detection model
– Misuse detection
– Anomaly detection
15/57
IDS classification
• Host-based
– Collect data from sources internal to a
computer, usually at the operating system
level (various logs etc.)
– Monitor user activities.
– Monitor executions of system programs.
16/57
IDS classification
• Network-based
– Collect network packets. This is usually done
by using network devices that are set to the
promiscuous mode. (A network device
operating in the promiscuous mode captures
all network traffic accessible to it, not just that
addressed to it.)
– Have sensors deployed at strategic locations
– Inspect network traffic
– Monitor user activities on the network.
17/57
IDS classification
• Application-based
– Collect data from running applications.
– The data sources include application event
logs and other data stores internal to the
application.
18/57
IDS classification
• Target-based (integrity verification)
– Generate their own data (by adding code to
the executable, for example).
– Use checksums or cryptographic hash
functions to detect alterations to system
objects and then compare these alterations to
a policy.
– Trace calls to other programs from within the
monitored application.
19/57
IDS classification
• Misuse detection
– Asks the following question about system
events: Is this particular activity bad?
– Misuse detection involves gathering
information about indicators of intrusion in a
database and then determining whether such
indicators can be found in incoming data.
20/57
IDS classification
• Misuse detection (cont.)
– To perform misuse detection, the following is
needed:
• A good understanding of what constitutes a
misuse behaviour (intrusion patterns, or
signatures).
• A reliable record of user activity.
• A reliable technique for analyzing that record
of activity (very often – pattern matching).
21/57
Misuse Detection
Intrusion
patterns
(signatures)
Analysis
(e.g. pattern
matching)
Intrusion
Activities
Signature example: if src_ip = dst_ip then “land attack”
22/57
IDS classification
• Misuse detection (cont.)
– It is best suited for reliably detecting known
misuse patterns (by means of signatures).
– It is not possible to detect previously unknown
attacks, or attacks with unknown signature. A
single bit of difference may be enough for an
IDS to miss the attack.
– However, it is possible to use the existing
knowledge (for instance, of outcomes of
attacks) to recognize new forms of old
attacks.
23/57
IDS classification
• Misuse detection (cont.)
– Misuse detection has no knowledge about the
intention of activity that matches a signature.
– Hence it sometimes generates alerts even if
the activities are normal (normal activities
often closely resemble the suspicious ones).
– Hence IDS that use signature detection are
likely to generate false positives.
24/57
IDS classification
• Misuse detection (cont.)
– New attacks require new signatures, and the
increasing number of vulnerabilities causes
that signature databases grow over time.
– Every packet must be compared to each
signature for the IDS to detect intrusions. This
can become computationally expensive as the
amount of bandwidth increases.
25/57
IDS classification
• Misuse detection (cont.)
– When the amount of bandwidth overwhelms
the capabilities of the IDS, it causes the IDS
to miss or drop packets.
– In this situation, false negatives are possible.
26/57
IDS classification
• Anomaly detection
– Anomaly detection involves a process of
establishing profiles of normal user behaviour,
comparing actual user behaviour to those
profiles, and alerting if deviations from the
normal behaviour are detected.
– The basis of anomaly detection is the
assertion that abnormal behaviour patterns
indicate intrusion.
27/57
IDS classification
• Anomaly detection (cont.)
– Profiles are defined as sets of metrics measures of particular aspects of user
behaviour.
– Each metric is associated with a threshold or
a range of values.
28/57
IDS classification
• Anomaly detection (cont.)
– Anomaly detection depends on an
assumption that users exhibit predictable,
consistent patterns of system usage.
– The approach also accommodates
adaptations to changes in user behaviour
over time.
29/57
IDS classification
• Anomaly detection (cont.)
– The completeness of anomaly detection
depends on the selected set of metrics – it
should be rich enough to express as much of
anomalous behaviour as possible.
– Capable of detecting new attacks.
30/57
IDS classification
• Anomaly detection (cont.)
– An attacker can replicate a misuse detection
system and check which signatures it detects.
– Then he/she can use the attack not
detectable by the IDS in question.
– This is not possible to do with an anomaly
detection system.
31/57
IDS classification
• Anomaly detection (cont.)
– However, it is not always the case that
abnormal behaviour patterns indicate an
intrusion – sometimes, rare sequences
represent normal behaviour. This is a major
problem in anomaly detection – false
positives.
– If anomaly detection IDS thresholds are set
too high, we may miss the attacks and have
false negatives.
32/57
Anomaly Detection
Profiles of
normal
behaviour
Analysis
Intrusion
Activities
33/57
IDS classification
• Anomaly detection (cont.)
– Methods of anomaly detection:
•
•
•
•
Statistical methods
Artificial intelligence (cognitive science,…)
Data mining
Mathematical abstractions of biological systems
(neural nets, immunological system simulation,
process homeostasis…)
• Etc.
34/57
IDS classification
• The fundamental debate between
proponents of anomaly detection and
proponents of misuse detection:
– Overlap of the regions representing "normal,"
and "misuse “ activities.
35/57
IDS classification
• The proponents of anomaly detection assert
that the intersection between the two
regions is minimal.
• The proponents of misuse detection assert
that the intersection is quite large, to the
point that given the difficulties in
characterizing "normal” activity, it is
pointless to use anomaly detection.
36/57
IDS classification
• The solution of this problem is probably in
combining the two detection models.
• Although the IDS/IPS manufacturers do
not publish the details of their designs, it is
quite probable that they combine misuse
detection and anomaly detection approach
in their solutions.
37/57
Attack fundamentals
• Four phases in the attacking process:
– Planning phase
– Reconnaissance phase
– Attack phase
– Post attack phase.
38/57
Attack fundamentals
39/57
Attack fundamentals
• Planning phase
– Can take many different forms.
– The attacker often makes use of the system in
its intended manner before making the attack.
– Example: the attacker may sign up for an
account on an online e-commerce system or
log onto a public server.
– This type of publicly available legitimate
access helps the attacker define the scope
and goals of the attack.
40/57
Attack fundamentals
• Planning phase (cont.)
– After the initial preparation is complete, the
attacker decides on the scope of the attack.
– The attacker may have various goals:
•
•
•
•
Denial of service
Escalation of legitimate privileges
Unauthorized access
Data manipulation
– The motivation behind an attack often dictates
which of these goals are chosen.
41/57
Attack fundamentals
• Reconnaissance phase
– The attacker next gathers information or
performs reconnaissance on the targeted
network.
– The attacker carries out a variety of different
inquiries with the goal of pinpointing a specific
method of attack (port scanning etc.)
– The goal of the attacker in this phase is to
narrow down the field of thousands of
possible exploits to a small number of
vulnerabilities that are specific to the targeted
host/network.
42/57
Attack fundamentals
• Reconnaissance phase (cont.)
– The attacker attempts to make this
reconnaissance as hard to notice as possible.
– Even so, there are many different means of
reconnaissance and some of them can be
detected by an intrusion detection system.
– Sources of information for the attacker:
• Legitimate public data (forums, public databases,
public monitoring tools, etc.)
• Vulnerability scanning (ping, TCP connect, OS and
version scanning, etc.)
43/57
Attack fundamentals
• Attack phase
– The traffic generated from attacks can take
many different forms.
– Types of attacks:
•
•
•
•
Denial of service
Remote exploits
Trojans and backdoor programs
Misuse of legitimate access
44/57
Attack fundamentals
• Attack phase (cont.)
– Denial of service (DoS)
• Any attack that disrupts the function of a system so
that legitimate users can no longer access it.
• Possible on most network equipment: routers,
servers, firewalls, remote access machines, etc.
• Can be specific to a service (e.g. FTP attack), or
an entire machine.
• Categories of DoS
– Resource depletion
– Malicious packet attacks.
45/57
Attack fundamentals
• Attack phase (cont.)
– Denial of service (DoS) (cont.)
• Resource depletion DoS attack
– Functions by flooding a service with so much normal
traffic that legitimate users cannot access the service.
– An attacker inundating a service with normal traffic can
exhaust finite resources such as bandwidth, memory and
processor cycles.
– Examples: SYN flood, Smurf, etc.
46/57
Attack fundamentals
• Attack phase (cont.)
– Denial of service (DoS) (cont.)
• Malicious packet DoS attacks
– Function by sending abnormal traffic to a host to cause
the service or the host itself to crash.
– Occur when software is not properly coded to handle
abnormal or unusual traffic.
– Such traffic can cause software to react unexpectedly
and crash.
– Attackers can use these attacks to bring down even IDS.
– Examples: Microsoft FTP DoS, SNORT ICMP DoS, etc.
47/57
Attack fundamentals
• Attack phase (cont.)
– Denial of service (DoS) (cont.)
• Malicious packet DoS attacks (cont.)
– In addition to unusual traffic, malicious packets can
contain payloads that cause a system to crash.
– A packet's payload is taken as input into a service.
– If this input is not properly checked, the application can
be brought down.
48/57
Attack fundamentals
• Attack phase (cont.)
– Denial of service (DoS) (cont.)
• DoS attacks commonly utilize spoofed IP
addresses because the attack is successful even if
the response is misdirected.
• The attacker requires no response, and in cases
like the Smurf attack, wants at all costs to avoid a
response.
• This can make DoS attacks difficult to defend from,
and even more difficult to detect.
49/57
Attack fundamentals
• Attack phase (cont.)
– Remote exploits
• Attacks designed to take advantage of improperly
coded software to compromise and take control of
a vulnerable host.
• Can function in the same manner as the malicious
payload traffic DoS attacks.
• Take advantage of improperly checked input or
configuration errors.
• Examples: buffer overflow, Unicode exploit, Cookie
poisoning, SQL injection, etc.
50/57
Attack fundamentals
• Attack phase (cont.)
– Trojans and Backdoor programs
• By installing a backdoor program or a Trojan, an
attacker can bypass normal security controls and
gain privileged unauthorized access to a host.
• A backdoor program can be deployed on a system
in a variety of different ways. E.g. a malicious
software engineer can add a backdoor program
into legitimate software code.
• Backdoor programs might be added for legitimate
maintenance reasons in the software development
life cycle, but later forgotten.
51/57
Attack fundamentals
• Attack phase (cont.)
– Trojans and Backdoor programs (cont.)
• A Trojan is defined as software that is disguised as
a benign application.
• Remote control Trojans typically listen on a port like
a genuine application.
• Through this open port, an attacker controls them
remotely.
• Trojans can be used to perform any number of
functions on the host.
52/57
Attack fundamentals
• Attack phase (cont.)
– Trojans and Backdoor programs (cont.)
• Some Trojans include portscanning and DoS
features.
• Others can take screen and Webcam captures and
send them back to the attacker.
• Trojans and backdoor programs have traditionally
listened on a TCP or UDP port, making it easy to
detect them and undertake countermeasures.
53/57
Attack fundamentals
• Attacks phase (cont.)
– Trojans and Backdoor programs (cont.)
• Because of that, Trojans have evolved so they no
longer need to listen on a TCP or UDP port.
• Instead, they listen for a specific sequence of
events before processing commands.
• It may be a combination of predetermined source
addresses, TCP header information, or false
destination ports that do not match to a listening
service.
54/57
Attack fundamentals
• Attack phase (cont.)
– Misuse of Legitimate Access
• Attackers often attempt to gain unauthorized use of
legitimate accounts by getting authentication
information.
• This can be performed by means of technical
and/or social engineering methods.
• IDS, especially the anomaly detection ones, may
be used to detect such activities.
55/57
Attack fundamentals
• Post-attack phase
– After an attacker has successfully penetrated
into a host on the targeted network, further
actions he/she will take are in general
unpredictable.
– In this phase, the attacker carries out his/her
plan and makes use of information resources
as he/she considers appropriate.
56/57
Attack fundamentals
• Post-attack phase
– Possible post-attack activities:
•
•
•
•
•
•
Covering tracks
Penetrating deeper into network infrastructure
Using the host to attack other networks
Gathering, manipulating, or destroying data
Handing over the host to a friend or a hacker group
Walking or running away without doing anything.
57/57