Chapter 8 Intrusion Detection
NIDS Sensor Deployment: Location 2 (just outside external firewall)
+: Documents attacks originating on the Internet that target the network -: Highest processing burden of any location
NIDS Sensor Deployment: Location 4 (on specific department networks)
+: Focuses limited resources to network assets considered greatest value
NIDS Sensor Deployment: Location 3 (on backbone networks that support internal servers and databases)
+: Monitors a large amount of internal network traffic thus increasing the possibility of spotting attacks +: Detects unauthorized activity by authorized users inside organization +: Monitors both internal and external attacks
Honeypot Deployment: Location 3 (internal)
+: can catch internal attacks + can detect mis-configured firewall (based on traffic from Internet to internal network) -: if honeypot is compromised or hijacked, it can attack other internal systems -: firewall must be adjusted to allow attackers to come in to internal network, possibly compromise internal network
Honeypot Deployment: Location 1 (outside external firewall)
+: can track attempts to connect to unused IP addresses in network +: avoid danger of compromising system behind firewall +: attracts many potential attacks, it reduces alerts issued by firewall and internal IDSs -: no ability to trap internal attackers if external firewall filters traffic in both directions
Honeypots
- Honeypots are decoy systems that + Lure a potential attacker away from critical systems + Collect information about the attacker's activity + Encourage the attacker to stay on the system long enough for administrators to respond - Systems are filled with fabricated information that a legitimate user of the system wouldn't access - Resources that have no production value + Therefore incoming communication is most likely a probe, scan, or attack + Initiated outbound communication suggests that the system has probably been compromised
rule-based heuristic identification
- Involves the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses - Rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage - Typically rules used are specific
Honeypot Classifications
- Low interaction honeypot + Consists of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of those services or systems + Provides a less realistic target + Often sufficient for use as a component of a distributed IDS to warn of imminent attack - High interaction honeypot + A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers + Is a more realistic target that may occupy an attacker for an extended period + However, it requires significantly more resources + If compromised could be used to initiate attacks on other systems
NIDS Sensor Deployment: Location 1 (just inside external firewall)
- Sees attacks from external world that succeeded in penetrating perimeter defense - Highlights problems with perimeter defense - Can sometimes recognize outgoing traffic from a compromised server
Intrusion Detection Exchange Format: Manager
- The ID component or process from which the operator manages the various components of the ID system. - management functions: sensor configuration, analyzer configuration, event notification management, data consolidation and reporting
Logging of Alerts
- When a sensor detects a potential violation, it sends an alert (and related logs), which are + used by analysis module to refine intrusion detection parameters and algorithms + used by security administrator to design prevention techniques
Host-based Intrusion Detection (HIDSs)
- add a specialized layer of security software to vulnerable or sensitive systems; such as database servers and administrative systems - monitor activity on the system in a variety of ways to detect suspicious behavior - can detect both external and internal intrusions, something that is not possible either with network-based IDSs or firewall
user interface
- an IDS enables a user to view output from system or control the behavior of the system - some system the system user interface may equate to a manager, director, or console component
Intrusion Detection Exchange Format: Sensor
- collect data from data source - sensor forwards events to the analyzer
Anomaly Detection
- collection and processing sensor data from the normal operation of the monitored system in a training phase - occur at distinct times, or there may be a continuous process of monitoring and evolving the model over time - two key issues: + monitor data: ensures that data gathered from variety of possible sources is provided in standard form for analysis + statistical approaches: use the captured sensor data to develop a statistical profile of the observed metrics
Distributed or hybrid IDS
- combines information from a number of sensors, often both host and network-based, in a central analyzer that is able to better identify and respond to intrusion activity
Intrusion Detection Exchange Format: Operator
- human that is the primary user of the IDS manager - operator often monitors the output of the IDS and initiates or recommends further action
Intrusion Detection Exchange Format: Administrator
- human with overall responsibility for setting the security policy of the organization and decision about deploying and configuring the IDS
inline sensor
- inserted into a network segment so that the traffic that it is monitoring must pass through sensor - combined NIDS sensor logic with another network device (firewall or LAN switch)
signature approaches
- match a large collection of know patterns of malicious data against data stored on a system or in transit over a network - need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data + advantage: relatively low cost in time and resource use, and its wide acceptance + disadvantage: significant effort required to constantly identify and review new malware to create signatures able to identify it, and the inability to detect zero-day attacks for which no signatures exist.
passive sensor
- monitors a cop of network traffic; the actual traffic does not pass through the device
Network-based IDS (NIDS)
- monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity
Host-based IDS (HIDS)
- monitors the characteristic of a single host - the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity
knowledge based approaches
- observed data using a set of rules which developed during the training phase - formal tools used to describe are finite-state machine, or a standard description language + advantage: robustness and flexibility + disadvantage: difficulty and time required to develop high-quality knowledge from the data, and the need for human experts to assist with this process.
analyzers
- receive input from one or more sensors or from other analyzers which responsible for determining if an intrusion has occurred
sensors
- responsible for collecting data - input maybe any part of a system that could contain evidence of an intrusion - types of input: network packets, log files, and system call traces. - collect and forward information to the analyzer
Anomaly Detection Techniques: Worm
- spreading of worms among hosts can be detected because - Some worms use large amounts of bandwidth - They cause hosts to communicate with each other that typically do not - they can also cause hosts to use ports that they normally do not use
Intrusion Detection Exchange Format: Analyzer
- the ID component or process that analyzes the data collected by sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security
Intrusion Detection Exchange Format: Data source
- the raw data that an IDS uses to detect unauthorized or undesired activity - common data such as network packets, operating system, audit logs, application audit logs, and system-generated checksum data
machine-learning approaches
- use data mining techniques to automatically develop a model using the labeled normal training data which able to classify subsequently observed data as either normal or anomalous + advantage: flexibility, adaptability, and ability to capture interdependencies between the observed metrics + disadvantage: process typically requires significant time and computational resources
time-series models (statistical)
- use the order and time between observed events to better classify the behavior - advantage: relative simplicity, low computation cost, and lack of assumptions about behavior expected - disadvantage: difficulty in selecting suitable metrics to obtain a reasonable balance between false positives and false negatives; and not all behaviors can be modeled using these approaches
signature or heuristic detection
- use to detect intrusion by observing events in the system and applying either a set of signature patterns to the data, or a set of rules that characterize the data, leading to a decision regarding whether the observed data indicates normal or anomalous behavior
Honeypot Deployment: Location 2 (in DMZ): other systems (e.g., email server) in DMZ must first be secured
-: systems on DMZ are not fully accessible, thus cannot trap as many attackers. Opening up firewall for honeypot is risky
Intrusion Detection Techniques
As with host-based intrusion detection, network-based intrusion detection uses - Signature detection - Anomaly detection
Intrusion Detection: Application layer reconnaissance and attacks
look for attack patterns targeting application protocols (DNS, HTTP, POP)
File integrity checksums
a common approach to detecting intruder activity on a system is to periodically scan critical files for changes from the desired baseline, by comparing a current cryptographic checksums for these files with record of known good values.
system call traces
a record of the sequence of systems calls by processes on a system, is widely acknowledge as the preferred data source for HIDS
Security Intrusion
a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so
Intrusion Detection
a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near-time warning of, attempts to access system resources in an unauthorized manner
Intrusion Detection: Network layer reconnaissance and attacks
analyze IPv4, IPv6, ICMP, and IGMP at this level
Intrusion Detection: Transport layer reconnaissance and attacks
analyze TCP and UDP traffic (e.g., unusual scans for vulnerable ports, SYN floods)
Intrusion Detection: Unexpected application services
attempts to determine if the activity on a transport connection is consistent with the expected application protocol
Audit (log file) records
most modern operating systems include accounting software that collects information on user activity + advantage: no additional collection software is needed + disadvantage: audit records may not contain the needed information or may not contain it in a convenient form + intruders may attempt to manipulate these records to hide their actions
Anomaly Detection Techniques: Scanning
occurs when attacker probes a target network by sending different kinds of packets
Intrusion Detection: Policy violations
prohibit inappropriate web sites and application protocols
Anomaly Detection Techniques: Denial-of-services (DoS) attacks
such attacks involve either significantly increased packet traffic or significantly increase connection attempts which overwhelm the target system
registry access
used on Windows systems is to monitor access to the registry, given the amount of information and access to it used by programs on these systems.
