Transcript Intrusion Detection

Intrusion Detection
By
Vidya Satyanarayanan
What is Intrusion?
Intrusion is an unauthorized attempt or achievement to
access, alter, render unavailable, or destroy information on a
system or the system itself.
The art of detecting such activities is known as Intrusion
Detection.
How do Intruders get into systems?
 Physical Intrusion
 System Intrusion
 Remote Intrusion
Why can intruders get into systems?
 Software bugs
 System configuration
 Password cracking
1. Clear-text sniffing
2. Encrypted sniffing
3. Replay attack
4. Password file stealing
Intrusion Detection Systems
IDSs fall into 2 categories:
1. Network-based IDSs
2. Host-based IDSs
Host-based IDSs

A host monitor looks at system logs for evidence of
malicious or suspicious application activity.

More detailed logging. But can track only successful
intrusions.

Monitoring happens in the host, so a successful attack can
bring down the system and terminate the monitoring.

Can monitor changes to critical system files and changes in
user privileges.

Can monitor TCP port activity and notify system admin
when specific ports are accessed.
Drawbacks of Host-based IDSs

Host-based IDSs are not real-time.

Tedious to secure the whole network.
Some Advantages:

Can identify non-network-based attacks like activities of
applications and process running on the host.

More likely to catch unknown attacks.
Network-based IDSs
A network monitor watches live network packets and
looks for signs of computer crime, network attacks, network
misuse and anomalies.
Can detect denial-of-service attack.
Ping-of-Death
SYN Flood
Land/Latierra
Network-based IDSs become less effective as network traffic
increases.
How are intrusions detected?

Anomaly Detection (profile-based)

Misuse Detection (Signature-based)
Misuse Detection
Recognizes known attacks based on signatures and patterns.
Starts defending the network immediately upon installation.
Have low false alarm rate (false positives).
Effective only against known threats.
Ineffective against passive attacks such as n/w sniffing, wire
taps, IP or sequence number spoofing.
Should constantly update the signature database.
Anomaly Detection
Base-line measurements for “normal” user activity is
developed and anything that deviates from the normal is
detected.
Needs a lot of historical data for building an accurate
model.
Can detect attempts to exploit new vulnerabilities.
Have high false alarms.
Can detect fraudulent activity of a privileged insider.
“Normal”
Activity
Activity
Normalizer
Alarming &
Reporting
Sensor
Activity
Rules
Engine
Known
Malicious
Activity
Components of IDS
What happens after a NIDS
detects an attack?
Reconfigure firewall - Configure the firewall to filter
out the IP address of the intruder.
Chime - Beep or play a .WAV file.
Log the attack - Save the attack information
(timestamp, intruder IP address, victim IP address/port,
protocol information).
Launch program - Launch a separate program to
handle the event.
Terminate the TCP session - Forge a TCP FIN packet
to force a connection to terminate.
Honeypot – a deception system
A honeypot is a system designed to look like something
that an intruder can hack. Like installing a machine on the
network with no particular purpose other than to log all
attempted access.
Network-based IDS Products
CiscoSecure IDS 2.5
ISS RealSecure 7
Dragon 6
NFR
Snort 1.8.6
Host-based IDS Products
Real Secure Server Sensor
DragonSquire
NFR HID
Entercept 2.5