Fourth Edition By William Stallings and Lawrie Brown Chapter 8 Intrusion Detection Classes of Intruders Cyber Criminals Individuals or members of an organized crime group with a goal of financial reward ID: 724465
Download Presentation The PPT/PDF document "Computer Security: Principles and Pract..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Computer Security:
Principles and Practice
Fourth Edition
By: William Stallings and Lawrie BrownSlide2
Chapter
8
Intrusion DetectionSlide3
Classes of Intruders –
Cyber Criminals
Individuals or members of an organized crime group with a goal of financial reward
Their activities may include:
I
dentity theft
T
heft of financial credentials
C
orporate espionage
D
ata theft
D
ata ransoming
Typically they are young, often Eastern European, Russian, or southeast Asian hackers, who do business on the Web
They meet in underground forums to trade tips and data and coordinate attacksSlide4
Classes of Intruders –
Activists
Are either individuals, usually working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes
Also know as
hacktivists
Skill
level is often quite low
Aim of their attacks is often to promote and
publicize
their cause typically
through:
W
ebsite defacement
Denial
of service
attacks
T
heft
and distribution of data that results in negative publicity or compromise of their targetsSlide5
Classes of Intruders –
State-Sponsored OrganizationsSlide6
Classes of Intruders –
Others
Hackers with motivations other than those previously listed
Include
classic hackers or crackers who are motivated by technical challenge or by peer-group esteem and reputation
Many of those responsible for discovering new categories of buffer overflow vulnerabilities could be regarded as members of this class
Given the wide availability of attack toolkits, there is a pool of “hobby
hackers”
using them to explore system and network
securitySlide7
Intruder Skill Levels –
Apprentice
Hackers with minimal technical skill who primarily use existing attack toolkits
They likely comprise the largest number of
attackers,
including many criminal and activist attackers
Given their use of existing known tools, these attackers are the easiest to defend against
Also known as “script-kiddies” due to their use of existing scripts (tools)Slide8
Intruder Skill Levels –
Journeyman
Hackers with sufficient technical skills to modify and extend attack toolkits to use newly discovered, or purchased, vulnerabilities
They may be able to locate new vulnerabilities to exploit that are similar to some already known
Hackers with such skills are likely found in all intruder classes
Adapt tools for use by othersSlide9
Intruder Skill Levels –
Master
Hackers with high-level technical skills capable of discovering brand new categories of vulnerabilities
Write new powerful attack toolkits
Some of the better known classical hackers are of this level
Some are employed by state-sponsored organizations
Defending against these attacks is of the highest difficultySlide10
Examples of Intrusion
Means
Ends
R
emote
root compromise
Guessing/cracking
passwords
Running
a packet sniffer
Using
an unsecured modem to
access internal network
I
mpersonating an executive to get information
U
sing
an unattended workstation
Web server
defacement
Copying databases containing credit card
numbers
Viewing sensitive data without
authorization
Distributing pirated softwareSlide11
Intruder BehaviorSlide12
Table 8.1
Examples
of
Intruder
Behavior
(Table can be found on pages 255-256 in the textbook.)Slide13
Security Intrusion:
Unauthorized act of bypassing the security mechanisms of a system
Intrusion Detection:
A hardware or software function that gathers and analyzes information from various areas within a computer or a network to identify possible security intrusions
DefinitionsSlide14
Intrusion Detection System (IDS)
H
ost-based IDS (HIDS)
M
onitors the characteristics of a single host for suspicious activity
Network
-based
IDS (NIDS)
M
onitors network traffic and analyzes network, transport, and application protocols to identify suspicious activity
Distributed or hybrid
IDS
Combines information from a number of sensors, often both host and network based, in a central analyzer that is able to better identify
and
respond to intrusion activitySlide15Slide16
IDS RequirementsSlide17
Analysis Approaches
A
nomaly detection
Signature/Heuristic detection
Involves the collection of data relating to the behavior of legitimate users over a period of time
Current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder
Uses a set of known malicious data patterns or attack rules that are compared with current behavior
Also known as misuse detection
Can only identify known attacks for which it has patterns or rulesSlide18
Anomaly Detection
A variety of classification approaches are used:Slide19
Signature or Heuristic DetectionSlide20
Host-Based Intrusion Detection (HIDS)
A
dds a specialized layer of security software to vulnerable or sensitive systems
Can use either anomaly or signature and heuristic approaches
M
onitors activity
to detect suspicious behavior
P
rimary
purpose is to detect intrusions, log suspicious events, and send alerts
C
an
detect both external and internal
intrusionsSlide21
Data Sources and SensorsSlide22
Table
8.2
Linux
System Calls and Windows DLLs Monitored
(Table can be found on page 264 in the textbook)Slide23Slide24Slide25
Network-Based
IDS
(NIDS)Slide26Slide27Slide28
Intrusion Detection Techniques
Attacks suitable for
Signature detection
Attacks suitable for
Anomaly detection
Application layer reconnaissance and attacks
Transport layer reconnaissance and attacks
Network layer reconnaissance and attacks
Unexpected application services
Policy violations
Denial-of-service (
DoS
) attacks
Scanning
Worms Slide29
Stateful
Protocol Analysis (SPA)
Subset of anomaly detection that compares observed network traffic against predetermined universal vendor supplied profiles of benign protocol traffic
This distinguishes it from anomaly techniques trained with organization specific traffic protocols
Understands and tracks network, transport, and application protocol states to ensure they progress as expected
A key disadvantage is the high resource use it requiresSlide30
Rule based penetration examples
Users
who log in after hours often access the same files they used earlier
Users do not generally open disk devices directly but rely on higher-level operating system utilities
Users should not be logged in more than once to the same system
Users do not make copies of system
programs
Certain protocols are not allowed.
Certain packets within protocols are not allowed.
Certain destination or source IP addresses are not allowedSlide31
Signature- versus Anomaly-Based IDS
Signature-based
: Looks for attack signatures in packets or logs
Retains signatures in a signature database or rule set(s).
Can create custom rules – sometimes with wildcards
Benefits &
Limitations of Signature Based
Benefit: Can name specific attacks, allowing for appropriate reaction
Limitations:
More signatures translates into lower transaction rates
Slight deviations from the signature won’t be caught: e.g., blank vs. %20
New attacks cannot be caughtSlide32
Anomaly-based or Heuristic:
Looks for unexpected behavior
Baseline-based Intrusion Detection:
‘Expected’ performance is known
Thresholds are established differentiating normal vs. abnormal behavior
E.g., Rate of SYN or Ping packets change
E.g., Monitoring processor usage at night
E.g., Packet is not formatted as expected
Rule-based Intrusion Detection
: Certain actions are not allowed
E.g., Log accesses to password file
Benefits & Limitations
Benefit: Quick at recognizing new large-scale worm attacks
Limitation: Cannot name the attack; Cannot detect attacks near normSlide33
Anomaly Detection
threshold detection
checks excessive event occurrences over time
alone a crude and ineffective intruder detector
must determine both thresholds and time intervals
profile based
characterize past behavior of users / groups
then detect significant deviations
based on analysis of audit records
gather metrics: counter, gauge, interval timer, resource utilization
analyze: mean and standard deviation, multivariate, Markov process, time series, operational modelSlide34
Login & Session Activity
Measure
Model
Type of Intrusion Detected
Login frequency by date and time
Mean and standard deviation
Intruders likely
to login after normal hours
Frequency of login at different locations
Mean and standard deviation
Login from place rarely
at
Time since last login
Operational
Break-in at dead account
Elapsed time
per session
Mean and standard deviation
Significant
deviations = masquerader?
Quantity of output to location
Mean and standard deviation
Excessive data transmitted could be leakage
of sensitive data
Session resource utilization
Mean and standard
deviation
Unusual processor or I/O levels = intruder?
Password
failures at login
Operational
Attempted break-in by guessingSlide35
File Access Activity
Measure
Model
Type of Intrusion Detected
Read, write, create, delete frequency
Mean and Standard deviation
Abnormalities for access may
signify masquerading or browsing
Records read, written
Mean and standard deviation
Attempt
to obtain sensitive data by inference and aggregation
Failure count for read, write, create, delete
Operational
May detect users who persistently
attempt to access unauthorized filesSlide36
System Sensitivity
False positive
: Innocent action logged as an attack
False negative
: Attack not recognized
Sensitivity of the system
: The degree of False positives to False negatives
Administrator must achieve the right balance of sensitivitySlide37
Types of NIDS, NIPS
Passive mode or IDS: Monitors network traffic only
Does not affect performance of network traffic
Can be incapable of sending on network
Active mode or IPS: Performs inline processing of packets
Causes penalty on performance – problematic for very busy networks
Must be capable of sending on networkSlide38
Logging of Alerts
Typical information logged by a NIDS sensor includes:
Timestamp
Connection or session ID
Event or alert type
Rating
Network, transport, and application layer protocols
Source and destination IP addresses
Source and destination TCP or UDP ports, or ICMP types and codes
Number of bytes transmitted over the connection
Decoded payload data, such as application requests and responses
State-related informationSlide39Slide40
IETF Intrusion Detection Working Group
Purpose is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to management systems that may need to interact with them
The working group issued the following RFCs in 2007:Slide41Slide42
Honeypots
D
ecoy systems designed to:
L
ure a potential attacker away from critical systems
C
ollect information about the attacker’s activity
E
ncourage the attacker to stay on the system long enough for administrators to respond
Systems are filled with fabricated information that a legitimate user of the system wouldn’t access
Resources that have no production value
Therefore incoming communication is most likely a probe, scan, or attack
Initiated outbound communication suggests that the system has probably been compromisedSlide43
Honeypot Classifications
Low interaction honeypot
C
onsists
of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of those services or
systems
Provides a less realistic target
Often sufficient for use as a component of a distributed IDS to warn of imminent attack
High interaction honeypot
A
real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by
attackers
Is a more realistic target that may occupy an attacker for an extended period
However, it requires significantly more resources
If compromised could be used to initiate attacks on other systemsSlide44Slide45
How to Attach an IDS
Switch
: Central router routes traffic only to destination node.
High throughput since the simultaneous transmissions can occur between different pairs.
Switch Port Analyzer (SPAN)
allows a network sniffer to monitor TX/RX/both transmissions between 2 (or sometimes more) nodes (commonly switch & router)
Disadvantage: Switch only has one SPAN port, switch performance degradation
Advantage: No extra equipment, easy to install
Hub
: repeats traffic to all nodes
Disadvantage: Throughput limitations since all nodes share same physical link – cannot implement duplex transmission between switch/router
Advantage: Easy to install and configure
Tap
:
A ‘T’ or listening device forwards traffic to the NIDS
Disadvantage: Usually monitors in one direction only, dictates stealth configuration
Advantage: Fault tolerant on power failure, no throughput degradation, protects IDS from attacksSlide46Slide47Slide48
Table 8.3
Snort
Rule Actions
Slide49
Table 8.4
Examples
of
Snort
Rule Options
(Table can be found on page 283 in textbook.)Slide50
SNORT Rules
use a simple, flexible rule definition language
with fixed header and zero or more options
header includes: action, protocol, source IP, source port, direction, dest IP, dest port
many options
example rule to detect TCP SYN-FIN attack:
Alert tcp $EXTERNAL_NET any -> $HOME_NET any \
(msg: "SCAN SYN FIN"; flags: SF, 12; \
reference: arachnids, 198; classtype: attempted-recon;)Slide51
SNORT NIDS->NIPS
Snort Format:
{
cmd
} {protocol} {
sourceIP
} {
sourcePort
} {direction} {
destIP
} {
destPort
} (<keyword>:<value>; <keyword>:<value>)
Cmd
=alert pass log activate dynamic
log=packet text only,
alert writes to alert file
Protocol=
ip
udp icmp tcp arp, igrp, gre
,
ospf
, rip, …
Port= :1024 or 1024:6000
Direction= -> or <> Slide52
Snort Command Example
Snort Format:
{
cmd
} {protocol} {
sourceIP
} {
sourcePort
} {direction} {
destIP
} {
destPort
} (<keyword>:<value>; <keyword>:<value>)
Example:
var
HTTP_SERVERS [192.168.1.50/32]
var
HOME_NET [192.168.1.0/24]
var
EXTERNAL_NET !HOME_NET
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:”WEB-IIS cmd.exe access”; flags: A+; content:”cmd.exe”; nocase; classtype:web_application-attack;)Slide53
Snort Keywords
Keywords can include:
dsize
: maximum packet size; larger sizes indicate problems.
ttl
: IP time to live value.
fragbits
: R=Reserved, D=Don’t Fragment, M=More Fragment.
ipopts
: IP options:
lsrr
: loose source routing;
ssrr
=strict source routing.
flags: S=
Syn
, A=
Ack
, F=Fin, R=Reset, +=and/or more;
itype
: ICMP packet typecontent: <text or hexadecimal data to search for>uricontent: Content of the URL (e.g., ”/bin/ps”)offset: the position in the packet payload to begin searching for a match.nocase: Deactivates case-sensitivitysid: signature ID; describes more about the signature
ip_proto
: protocol after IP header (e.g., DNS=53)
rev: rule revision number
logto
: file to write log to.Slide54
Snort IPS Additional Commands
New commands used for inline configurations:
drop: Alert and drop the packet
sdrop
: Drop the packet but don’t trigger the alert
E.g.:
sdrop
udp
$EXTERNAL_NET any …Slide55
Snort IPS Added Keywords
resp
:<
resp_keyword
>[,
resp_keyword
]
<
resp_keyword
> =
rst_snd
,
rst_rcv
,
rst_all
,
icmp_net
,
icmp_host
,
icmp_port, icmp_allSends RST to packet sender/recipient/both; Sends host/port/network Unreachablereact:<react_keyword>[,react_keyword]<react_keyword> = block, warn, msg, proxyUsed with HTTP-based attacks.E.g.: alert
tcp
any
any
<> $HOME_NET 80 (content: “
naughtyContent
”;
msg
: “Not allowed!”; react:
block,msg
;)
replace: “text to replace content with”
Allows replacement of potentially dangerous text with safe text: “cmd.exe”->”nocmd.exe”Slide56
Summary
Host-based intrusion detection
Data sources and sensors
Anomaly HIDS
Signature or heuristic HIDS
Distributed HIDS
Network-based intrusion detection
Types of network sensors
NIDS sensor deployment
Intrusion detection techniques
Logging of
alerts
Example system: Snort
Snort architecture
Snort rules
Intruders
Intruder behavior
Intrusion detection
Basic principles
The base-rate fallacy
Requirements
Analysis approaches
Anomaly detection
Signature or heuristic detection
Distributed or hybrid intrusion detection
Intrusion detection exchange format
Honeypots