Transcript IDS

Intrusion Detection Systems
(A preliminary study)
Sireesha Dasaraju
CS526 - Advanced Internet Systems
UCCS
5/1/2006
Sireesha/IDS
1
Goals
• Identify types of network attacks
• Explore IDS details
– Benefits, Categories, Detection Techniques,
Performance measurements
• Snort
– Why Snort, Components and operation, Snort
Rules
• Future enhancements
5/1/2006
Sireesha/IDS
2
Network Attacks
• With ever-increasing Internet enabled
services, a computer network should be
guarded against network attacks.
• A few network threats
– Worms
• Self-propagating malicious code, automatic distribution
via network connections
– Virus
• Self-replication code. Can be attached to any host
application
– Denial of Service
5/1/2006
• Overloading of resources making them unavailable to
legitimate users.
Sireesha/IDS
3
IDS Details - Why an IDS?
• Firewalls - Though a valid first step, not
enough
– Attacks can happen before its rules are updated.
– Laptops can be infected outside the network and
then brought in.
– Wireless accesses into a network.
• Benefits
– Detection of Attacks
– Enforcing policies
– Audit trails
5/1/2006
Sireesha/IDS
4
IDS Details - Types
• Two types of IDS
– Network-based IDS (NIDS)
• Analyze packets coming across a network connection.
• Logs for after attack analysis
• Real time alerts
– Host-based IDS (HIDS)
• Monitors a single system
• File integrity checks
• Analyze system logs for unusual activities - multiple login
attempts
5/1/2006
Sireesha/IDS
5
IDS Details - Detection
Techniques
• Two techniques
– Signature based
• Maintain a store of known attack signatures.
• Analyze new traffic against the contents of the store
• Only known attacks can be detected, so first occurrence
of a new attack cannot be detected.
– Anomaly based
• Create and maintain a profile based on normal behavior.
• Analyze new traffic against a model profile.
• New attacks can be detected.
5/1/2006
Sireesha/IDS
6
IDS Details - Performance
• Performance
– Measured in terms of
• False positives
– Alert generated on traffic that is not an
attack.
– Alert generated on attack not intended for
the system being monitored.
• False negatives
– Alerts not generated for real attacks.
– Most dangerous leading to undetected attacks.
5/1/2006
Sireesha/IDS
7
Snort
• Open Source, Signature detecting, Network based
IDS
• Passive - No changes required for the system being
monitored.
• Versatile - Can be used as IDS, IPS (Intrusion
Prevention System), Inline firewall.
• Available for all major operating systems.
• Logging to Oracle, SQL, MySQL, PostGre SQL
• Rules are very simple, easy to develop and effective.
5/1/2006
Sireesha/IDS
8
Snort Packet Processing
• A packet capture library captures raw data
form network card and sends it to Snort.
• Snort decodes the packets based on
protocol.
• Preprocessors applied to normalize traffic.
• Normalized traffic passed through detection
engine.
• Alert generated if traffic matches a rule.
5/1/2006
Sireesha/IDS
9
Snort - Rules
• Snort Rule
– Header
•
•
•
•
•
Rule Action (log, alert, pass …)
Protocol (IP, ICMP,TCP,UDP)
Source Address and Port
Flow
Destination Address and Port
– Body
• Output message
• Additional tests
– Example
• alert tcp 192.168.1.18/32 any -> any 1:1023 (msg :”eBaying”;
uricontent:”ebay.com”;)
5/1/2006
Sireesha/IDS
10
Research for enhancements
• Enhancement goals
– Extend Snort to include a automatic signature
generation component.
– Extend Snort to detect anomaly based intrusions.
5/1/2006
Sireesha/IDS
11
Semantics-Aware Signatures
•
Nemean -- Automatic generation of intrusion signatures from honeynet
packet traces.
– Aggregate and transform the packet trace into well-defined data
structures and group packets into sessions and flows.
– Generate clusters of sessions based on similarity analysis.
– Normal traffic will not result in a cluster formation.
– A cluster generated represents a single attack. Slight variations are
accounted for.
– An attack signature is generated from the generated clusters.
5/1/2006
Sireesha/IDS
Usenix security 2005 symposium
12
Anomaly Detection
Payload based Anomaly detection.
• Operates in two phases
– Learning Phase
• A profile of expected payload is
constructed during the normal
operation by using a byte
frequency distribution analysis of
the payload.
– Anomaly Detection Phase
• Incoming payload is compared
against the profile.
• Statistical distributions are
compared and alert generated
when the comparison yields
greater than a threshold value.
• Resistant to mimicry attacks, since
payloads are compared.
5/1/2006
Sireesha/IDS
13
Resources
• Snort Page : www.snort.org
• Anomaly Detection on ITArchitect
http://www.itarchitect.com/showArticle.jh
tml?articleID=163700677
• More links to resources available in the
project report.
5/1/2006
Sireesha/IDS
14