Transcript Why Intrusion Detection?

Intrusion Detection Systems
Sai Nandoor
Priya Selvam
Balaji Badam
How insecure are we?
• Attacks on computer infrastructures are a
serious problem.
• Information theft is up over 250% in the
last 5 years.
• 99% of all major companies report at least
one major incident.
• Telecom and computer fraud totaled $10
billion in the US alone.
* Source: Eugene H Spafford. Security Seminar,
Department of Computer Sciences, Purdue University, Jan 2002.
IDS Based on Data Source
• Host Based IDS
– Its role is to identify tampering or malicious
activity occurring on the system.
– This is achieved by monitoring log files, users,
and the file system.
• Network Based IDS
– Its role is to identify tampering or malicious
activity occurring in the network traffic.
– This is achieved by monitoring network traffic
on the wire for specific activities/signatures that
represent an attack.
• Hybrid IDS
– Combination of network and host based IDS.
Host Based - Network Based
Advantages
Network
Host
Lowers cost of ownership
Lower cost of entry
Detects what HIDS miss
Detects what NIDS miss
Difficult to remove evidence
Verifies success/failure of attack
Real-time detection & response
Suited for encrypted environments
Detects unsuccessful attacks
Monitors specific activities
OS independent
Requires no additional hardware
Host Based IDS
•
Specific files to be monitored are
defined in a configuration file.
• Digest of the file is stored in a database.
• Multiple digest algorithms can be used.
• Examples:
TRIPWIRE/AIDE/SAMHAIN
TRIPWIRE
•
Can be reconfigured to prevent false-alarms.
• Flexible policy language with predefined policy
files and wildcard support.
AIDE
•
Similar to lighter version TRIPWIRE
SAMHAIN
•
Support for Stealth mode of operation.
•
Encrypted and authenticated client/server
connections.
Network Based IDS
•
Packet Sniffing front end.
• Pattern matching engine.
• Backend database.
• Examples:
SNORT/SHOKI/BRO
SNORT
•
Can also operate as packet sniffer/logger.
• Flexible rule based language to describe traffic.
• Can perform protocol analysis, content
searching/matching.
SHOKI
•
Multi-filter rule sets that match individual
packets.
• SNORT rules can be converted to SHOKI filters.
BRO
•
Provides its own language.
• Passive, doesn’t terminate malicious activity.
SNORT Rules
var EXTERNAL_NET ![128.3.0.0/16,131.243.0.0/16]
var HTTP_SERVERS [128.3.0.0/16,131.243.0.0/16]
var HTTP_PORTS 80
preprocessor http_decode: 80 unicode iis_alt_unicode
double_encode iis_flip_slash full_whitespace
output alert_fast: alarms.log
include file1.config
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-ATTACKS ps command
attempt"; flow:to_server,established; uricontent:"/bin/ps";
nocase; sid:1328; classtype:web-application-attack; rev:4;)
Bro’ Rules
rule sid-1328 {
header ip[9:1] == 6
header ip[12:4] != 128.3.0.0/16,131.243.0.0/16
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][iI][nN][\/\\][pP][sS]/
msg "WEB-ATTACKS ps command attempt"
}
SHOKI Rules
tcp 65536 THRESHOLD:1:10:20 SAMP-6 http
h([t]*p)://
tcp 65536 HOST_SCAN:2:20:40 SAMP-7 host scan NULL
tcp 65536 PORT_SCAN:3:30:50 SAMP-8 p_scan
0x687474
ALL
ALL
ALL
ACID screen capture for SNORT
Hybrid IDS
•
•
•
•
•
•
Can be clustered
Centralized database
Provides file protection by using digest
Network sensing using packet sniffing
Blends strengths of HIDS & NIDS
Examples:
MANHUNT/PRELUDE/DRAGON
MANHUNT
•
•
•
Detects new and modified attacks
Dynamically reassign ports scanned
Flowchaser and Trackback to fight DDoS
PRELUDE
•
Incorporates information from other IDS
• Provides hooks to firewalls, honeypots, etc
• Uses multiple sensors and a report server
DRAGON
•
Provides IDS evasion counter measures, by
Keeping a large database of known hacker
techniques and searching for anomalies.
Goals
• Design a hybrid system
• Send instantaneous alerts to network
administrator and other hosts
• Use secure communication channels
• Keep configuration file secure
• Keep checksum database secure
• Maintain list of intruders
• Maintain a log of attacks
Design
Intruder
Host
Administrator
Firewall
Database
Other Hosts
Implementation
• Dedicated Sockets for Communication
• Messages encrypted using AES
• Configuration file included in list of
secure files
• Checksums encoded using AES
• Network Administrator maintains log of
intrusions
• Hosts maintain a list of intruders
Sample execution
Lessons Learned
• Hybrid IDS involves a lot of components
• Comm. between hosts and admins must be
secure
• Configuration files are vulnerable
• Hybrid IDS provides better security
Future Work
•
•
•
•
•
Network sensors to defend DDoS attacks
Incorporate different hashing algorithms
Add feature to track sources of DDoS
Incorporate data from existing IDS
Add a file change notification component
References
• Intrusion Detection Systems
By Ricky M. Magalhaes http://www.windowsecurity.com
• An Introduction to Intrusion Detection
By Aurobindo Sundaram, ACM Crossroads
• Network Vs. Host Based Intrusion Detection
http://www.isskk.co.jp
• IDS Products
http://www.netsmart.net.au
• Intrusion Detection and Network Auditing on the Internet
http://www.infosyssec.com