survey of information assurance intrusion Detection systems

survey of information assurance intrusion Detection systems

Agenda • The Early Systems • Network Based Detection – Architecture – Benefits – Challenges • Host Based Detection – Architecture – Benefits – Challenges • Detection Mechanisms

Scope of Discussions • Details of signature matching algorithms not covered. • Validity of data collected by an IDS from legal point of view not discussed. • Data Mining Techniques and data refinement is not discussed. • Business aspect of Intrusion detection not covered.

IDS – systems that collect information from a variety of system & network resources, and then analyze the information for signs of intrusion and misuse.

The Early Systems 1980 James P. Anderson wrote a technical report “Computer Security Threat Monitoring and Surveillance” 1985 US Navy funded development of IDES (Intrusion Detection Expert System) 1986 Dorothy Denning published “An Intrusion Detection Model” 1987 First Annual Intrusion Detection Workshop held for experts to share ideas. 1989 Todd Heberlien wrote “A Network Security Monitor” (NSM). NSM is capable of detecting anomalous activity in heterogeneous network by monitoring TCP/IP packets 1990 US Navy completes study of IDS research and examines 5 systems in detail.

The Early Systems (continued. . ) 1992 CMDS (Computer Misuse Detection System) by Screen Application international Corporation. Stalker is developed by Haystack Labs. These are first commercial Host based IDS and are targeted at UNIX 1994 Researchers at Air Force Cryptological Support Center create ASIM, a robust IDS and later commercialize it through a company they formed, i. e. Wheelgroup 1997 Cisco acquires Wheelgroup and starts a program to build Network IDS. Internet Security Systems releases Realsecure for Windows NT 1998 Creators of Stalker and CMDS join into Centrax corporation and release e. NTrax for Windows NT. 1999 FIDNet (Federal Intrusion Detection Network) is created to protect government sites.

Clyde. SENTRY a a IDES a a a ISOA a a Haystack a a a a Wisdom and Sense a a a NADIR a a a a a Serial Methods Multiple Methods Tested with Real Data Processed Expeditiously Enrichment Operational Long Term Behavior Profile Exception Handling Online Type 2 Detection (Static) Type 2 Detection (Dynamic) Type 1 Detection (SSO Defined) Type 1 Detection (Automatic) EFFECTIVENESS Capabilities Comparison among early IDS

Clyde. SENTRY IDES ISOA Haystack Wisdom and Sense NADIR a a a a a a a a a a a a CMDS Host Target VMS Government Product Multiple Targets Extensible Architecture Product Dev Environment ADAPTABILITY Damage Assessment Report Adjustable Sensitivity Control Ease of Operation Understandable Results Mature SSO Interface Printed Report Event Record Retention INTERFACE Capabilities Comparison among early IDS (contd…) a a a a a a

Flaws of early IDS • No platform independence - IDS could not analyze data from systems other than the one it was designed for. i. e. the systems were OS specific. • No system independence – IDS could not process data from systems other than the original targets to which they had been designed. • Bad UI – The user interfaces were far from intuitive due to research nature of these projects.

Types of IDS • Network Based Intrusion Detection Systems – System is used to analyze network packets, i. e. the data sent out of the host interface. – Packets are usually “sniffed” off the network. – The IDS is uniquely positioned to detect access attempts and DOS attacks originating from outside • Host Based Intrusion Detection Systems – Analyze data originating at the host – Have no access/monitoring for data in the network or data originating at other hosts.

Network Based IDS • Unauthorized access – Unauthorized login – Jump-off Point for other Attacks • Data/Resource Theft – Password Downloads – Bandwidth Theft • DOS – denial of service – Malformed Packets – Packet Flooding – Distributed DOS

A B C OF NETWORK BASED IDS A – Architecture B – Benefits C – Challenges

Network Based IDS - Architecture • Sensors are deployed across the network that report to a central console. • Sensors: Self contained detection engines that obtain packets in the network, search for intrusion-like behavior and send information back to central console. • Types: – Traditional Sensor: sensors monitor network segments, not individual machines. – Network Node: An agent is placed on each machine in the network, which monitors only traffic received by given machine.

A Standard Network IDS Command Console Network sensor TCP/IP Records 1 Detection Engine Network Packets 3 Log 4 6 Response Subsystem 8 7 9 Report Data Forensics Data Base 2 Alert 5 Security Officer

Traditional Sensor based Architecture • Steps: – A packet is sent (by anyone) on or outside the network. – It is sniffed by the sensor – The sensor-resident detection engine examines the packet for predefined misuse patterns. When some pattern is detected, an “Alert” is sent to central console. – Security Officer is notified. – A response is generated. It may be automated or directed by security officer. It may include reconfiguration of sensor/router/firewall. – A log entry is made. – A comparison is made with data base and report is created. – The incident is stored in data base to establish any long-term trend using Data Forensics.

A Sensor Based Network IDS Command Console Network sensor TCP/IP Records Detection Engine 1 4 3 Network Packets Log 6 2 Response Subsystem 9 Report Alert 5 Security Officer 8 7 Data Forensics Data Base

Distributed Network-Node Architecture • Steps: – A packet is sent (by anyone) on or outside the network. – It is sniffed by the sensor placed on destination machine. – The sensor-resident detection engine examines the packet for predefined misuse patterns. When some pattern is detected, an “Alert” is sent to central console. – Security Officer is notified. – A local response is generated. – A log entry is made. – A comparison is made with data base and report is created. – The incident is stored in data base to establish any long-term trend using Data Forensics.

A Distributed Network Node IDS Command Console Network sensor TCP/IP Records 7 Data Forensics 8 1 Network Packets Security Officer 3 2 Detection Engine Report Alert 4 Local Response 5 6 Data Base

Network Based IDS: Benefits • Outsider Deterrence – Responding to attack attempt with Legal Notice, e-mail warning etc. • Detection – Signature matching – Statistical behavioral analysis • Automated Response and Notification – Notify System Administrator – Reconfigure router/firewall to block attacking Source Address

Network Based IDS: Challenges • Packet Reassembly – 1998 Ptacek and Newsham’s paper “Insertion, Evasion, and DOS: Eluding Network Intrusion Detection” • High Speed Networks • Sniffer Detection Programs – Antisniff (1999) • Switched Networks – ATM • Encryption

Host Based IDS • Abuse of privilege – Administrative lapse (incorrect privilege assignment, domain addition, ex-employee – Privileged user disclosing data • Changes in Security Configuration – – Admin rights to user, WFH user laptops Guest Account Open registry (windows NT defaults) Legal Notice Missing

A B C OF HOST BASED IDS A – Architecture B – Benefits C – Challenges

Host Based IDS - Architecture • Usually Agent based • Agent: An executable that runs on target host and communicates with a Central Command Console. • Types: – Centralized Host Based Architecture – Distributed Real-Time Architecture – Agentless Host-Based Intrusion Detection

Centralized Host Based Architecture • Steps: – An event record is created (a program executed, a file accessed, etc. ) – The agent centralizes the audit file to CC (Command Console) – Detection engine processes the file – Log is created – Alert is generated

Centralized Host Based Architecture (contd…) – – – Security Officer is notified Response is generated The alert is stored Raw data is moved to data archive Reports are generated

A Centralized Host Based IDS Command Console Target Host Audit Subsystem 1 Detection Engine Audit Data 3 Log 4 6 Response Subsystem 8 7 9 Report Data Forensics Data Base 2 Raw Data Centralized 5 Security Officer Collector Alert

Distributed Real-Time Architecture • Steps: – An event record is born – The file is read in REAL-TIME and processed through target-resident engine – Security Officer is notified – Response is generated – The alert is generated and sent to central console – Data Forensics is used to look for long term trends; no raw data archive or statistical data – Reports are generated

A Distributed Real-Time Host IDS Command Console Target Host Audit Subsystem 7 Data Forensics 8 1 Audit Data Security Officer 3 2 Detection Engine Report Alert 4 Local Response 5 6 Data Base Collector

Agent Less Architecture • There are no host-based agents • The Central console monitors systems through API that provides it with a “remote control” of the data source • Example: Windows NT/2000 has an API with such capabilities. Kane Security Monitor makes use of this facility.

Host Based IDS: Benefits • Insider Deterrence • Detection • Notification and Response – Log off user/Disable account – Execute local script • Damage Assessment • Attack Anticipation • Prosecution Support

Host Based IDS: Challenges • Performance – Case of Distributed Real-Time Architecture • Deployment/Maintenance • Compromise – Disabling or shutting of user agent • Spoofing – Inserting into audit records – Erasing audits

DETECTION MECHANISMS Network Based Signatures Host Based Signatures

Network Based Signatures (1 of 2) • Packet Content Inspection – The packet data (payload) is inspected for patterns or signatures. – Example: FTP Site Exec Pattern within data (c 7 a 5 db 87 c 7 a 5 db 01) exec cat /etc/passwdrn

Network Based Signatures (2 of 2) • Packet Header Inspection – The packet header is inspected for patterns or signatures. – Example: • Broadcast Attack • Land Attack

Host Based Signatures • Single Event Signatures – Writing to an executable • Access flags “Write. Data” “Write. Attributes” “Write. EA” “Append. Data” etc. • Multi Event Signatures – Repeated Failed Logins • Multi-Host Signatures – Events distributed over multiple hosts

Limitations of IDS • Not an answer to primary network security issues • Requires a standard firewall and malware protection system • May not be able to detect new attack but does provide data to trace such activity.

Latest trends: IDS and IPS • IPS – Intrusion prevention systems. IPS is much more active when compared to IDS and hence seen as better security technology. • IDS/IPS functionality is usually incorporated into the firewall or VPN. • These technologies can be used for ratelimiting a particular kind of data. • More of L 7 analysis being incorporated into IDS/IPS systems

Questions?

References • Content and Diagram-references from The Practical intrusion Detection Handbook by Paul E. Proctor • http: //www. sans. org/resources/idfaq/what_is_id. ph p? portal=3 ddecea 0 aa 1 dd 75 e 13 d 0 c 7 f 68 b 7 a 57 eb • http: //www. networksecurityjournal. com/intrusiondetection/ • http: //www. networksecurityjournal. com/features/c urrent-trends-in-ids-ips-052907/