P2 L4 - Intrusion Detection
Check any item that is true. To improve detection performance, an IDS should: ●Reduce false alarm rate while detecting as many intrusions as possible ●Apply detection models at all unfiltered packet data directly ●Apply detection models at processed event data that has higher base rate
- True - False - True
Monitoring Networks and Hosts
An IDS performs passive monitoring: ●It records and analyzes data about system and network activity ●If the IDS sends out an alert AND the response policy dictates intervention, then activities are affected
SNORT Configuration
Configured as passive ●Monitors traffic ●Is not in the main transmission path ●Is not an inline sensor Configured as Intrusion Detection
Firewall Versus Network IDS
Firewall ●Active filtering ●Fail-close Network IDS ●Passive monitoring ●Fail-open
What are the key design elements of the intrusion detection?
First, for intrusion detection to even be possible, we need these assumptions Primary assumptions: ●System activities are observable (systems, networks, and user activities ●From the activities that we can observe, normal and intrusive activities have distinct evidence => For intrusion detection to even be possible, we must be able to find evidence of intrusions by observing systems, networks, and user activities
Knowledge Based Approaches
This approach relies on experts to develop a set of rules that describe the normal and legitimate behaviors observed during training ●Developed during training to characterize data into distinct classes Advantages: ●Robust ●Flexible Disadvantages: ●The difficulty and time required to develop knowledge from the data ●Human experts must assist with the process
Quiz: True or False - Activists are either individuals or members of an organized crime group with a goal of financial reward.
False Activists typically have a social or political cause
Quiz: True or False - Those who hack into computers do so for the thrill of it or for status.
False Only applied for some attackers but there are many attackers who attack computers for other reasons For example: illicit financial gains
Signature Detection Quiz ●New threats can be detected immediately. ●When a new virus is identified, it must be added to the signature databases ●Can only detect an intrusion attempt if it matches a pattern that is in the database
False True True
Quiz: True or False - Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.
True
Quiz: True or False Intruders typically use steps from a common attack methodology.
True
Evaluating IDS
We typically use accuracy metrics to measure the detection algorithm. - Detection rate or True Positive(TP) rate: given that there is an intrusion, how likely will the IDS correct output an alert. - False Negative Rate: FN = 1 - TP -False alarm or False Positive (FP) rate: given that there is no intrusion, how likely is the IDS to falsely output an alert. - True Negative Rate: TN = 1 - FP -Bayesian detection rate: given that the IDS produces an alert, how likely is it that an intrusion actually occurs?
SNORT Consists of Four Logical Components
A Snort installation consists of four logical components ( Figure 8.9 ): ●Packet decoder: The packet decoder processes each captured packet to identify and isolate protocol headers at the data link, network, transport, and application layers. The decoder is designed to be as efficient as possible and its primary work consists of setting pointers so that the various protocol headers can be easily extracted. ●Detection engine: The detection engine does the actual work of intrusion detection. This module analyzes each packet based on a set of rules defined for this configuration of Snort by the security administrator. In essence, each packet is checked against all the rules to determine if the packet matches the characteristics defined by a rule. The first rule that matches the decoded packet triggers the action specified by the rule. If no rule matches the packet, the detection engine discards the packet. ●Logger: For each packet that matches a rule, the rule specifies what logging and alerting options are to be taken. When a logger option is selected, the logger stores the detected packet in human readable format or in a more compact binary format in a designated log file. The security administrator can then use the log file for later analysis. ●Alerter: For each detected packet, an alert can be sent. The alert option in the matching rule determines what information is included in the event notification. The event notification can be sent to a file, to a UNIX socket, or to a database. Alerting may also be turned off during testing or penetration studies. Using the UNIX socket, the alert can be sent to a management machine elsewhere on the network.
Signature Approach Advantages & Disadvantages
Advantages: ●Low cost in time and resource use ●Wide Acceptance Disadvantages: ●Significant effort to identify and review new malware to create signatures ●inability to detect zero-day attacks
Analysis Approaches - Anomaly detection
- Anomaly detection: tries to detect what is not normal ●Involves the collection of data relating to the behavior of legitimate users over a period of time ●Current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder
NIDS Sensor Deployment Quiz ● Set the IDS level to the highest sensitivity to detect every attack ● Monitor both outbound and inbound traffic ● Use a shared network resource to gather NIDS data ● NIDS sensors are turnkey solutions, system administrators can interpret alerts.
- False - True - False: because an attacker can disable the IDS or modify the alerts that sent - True: because network IDS can produce false positives, therefore, the system admins must interpret the alerts and take appropriate action
Honeypot Quiz Put True (T) next to each true statement and False (F) next to each false statement. ● A common location for a NIDS sensor is just inside the external firewall ●A Honeypot can be a workstation that a users uses for work ●There is no benefit of deploying a NIDS or Honeypot outside of the external firewall
- True - False - False - allow us to see what attacks are coming from internet to the enterprise network
Analysis Approaches -Misuse or signature detection
-Misuse or signature detection: tries to find a match of known intrusions ●Uses a set of known malicious data patterns or attack rules that are compared with current behavior ●Also known as misuse detection ●Can only identify known attacks for which it has patterns or rules
Machine Learning Intruder Detection Approaches -Bayesian networks -Markov models -Neural networks -Clustering and outlier detection
A variety of machine-learning approaches have been tried, with varying success. These include: ● Bayesian networks: Encode probabilistic relationships among observed events, for example, how likely an email is sent by a user if the current time is 2 AM; if a low probability activity takes place, it anomalous. ● Markov models: Develop a model with sets of states, some possibly hidden, interconnected by transition probabilities. For example, Markove models can be used to model legitimate web site names because the transition probabilities from one letter to the next are similar to that of real dictionary words because users need to type the web site names; a randomly spelled web site name is anomalous and may be used by botnets for command and control. ●Neural networks: Simulate human brain operation with neurons and synapse between them, that classify observed data. These are one of the most powerful algorithms. ●Clustering and outlier detection: Group the observed data into clusters based on some similarity or distance measure, and then identify subsequent data as either belonging to a cluster or as an outlier. For example, traffic from the internal network to the company's internal web server have common characteristics that can be grouped into clusters based on the web pages visited; other the hand, an attack may access data on the web server that is rare requested, which makes it an outlier.
Zero Day Market Place Quiz In the thriving zero day attack marketplace hackers sell information on software vulnerabilities. Can you guess some of the buyers? ● Apple ● Google ● Microsoft ● U.S Governemnt
All The black market on zero day vulnerabilities is quite strong. Companies pay hackers to tell them of their vulnerabilities. A zero day vulnerability in the Linux OS sold for $50,000.
Anomaly Quiz Which of the following could be considered an anomaly to typical network traffic? ● An IP address ●A port address ●Packet length ●Flag setting
All of the answers can be considered to be anomaly to normal network traffic. If the IP address is not one normally accessed by users or is not well known, this is an anomaly. If the port address is odd or the packet length is unusual then these can also considered worthy of further investigation
Host IDS
An IDS can also be deployed at an end-host, and such an IDS is a host-based IDS. It can use a variety of data on systems activities. For example, most host-based IDSs use ptrace to obtain the system calls made by a program to monitor the behaviors of the program. System call data is very useful to security monitoring because whenever a program requests a resource, such as memory allocation, access to the filesystem, networks, and I/O devices, it needs to make a system call to the operating system because the OS manages the system resources. That is, most of the "interesting" or "useful" activities by a program are carried out through systems calls. For example, if the user's browser receives a page with a malicious Javascript that is able to break the protection in the browser and attempts to overwrite the windows registry file, the IDS will observe a "write" system call to the registry file, and can decide that this is an anomaly.
Network IDS
An IDS can be deployed at the perimeter of a network or subnet to monitor traffic going in and out of the network. Such an IDS is a network IDS. It uses a packet capturing tool, such as the libpcap, to obtain network traffic data. The packet data contains the complete information about network connections. For example, if a user connects to a web site using his browser, the packet data will contain all the TCP handshake information between the browser and the web server, and all the URL requests from the browser and the return page contents from the server. That is, by examining the packet data, the IDS has all the data sent and received by the user's browser. If the user's machine is infected by a bot malware, for example, if it attempts to connect to a web site for command and control, the network IDS will be able to see that the traffic looks like C&C activities and output an alert.
Evasion Attack
Attacker can hide part of the attack and cause the IDS to miss detecting the attack. For example, by sending fragments that overlap, the IDS may discard a fragment that overlaps with the previous fragment while the end-host may accept both. The result is that the IDS will miss the attack. For example, in the attacker data, the two As overlap: the IDS will drop the second one but the end-host accepts both.
Insertion Attack
Attacker can insert data into the packet stream to cause the IDS to miss detecting the attack. For example, by including a packet with bad checksum, the end-host may reject this packet and yet the IDS will accept it. As a result, the end-host gets attacked and yet the IDS misses detecting it. For example, the attacker sends these packets, although out of order, both the IDS and the end-host will assemble them according to the sequence numbers. One of them, X, has bad checksum: the IDS will accept it but the end-host will reject it.
Eluding Network IDS
Attackers can defeat an IDS by exploiting the differences between the IDS and the end-host when they process the same traffic. TCP/IP protocol specifications have ambiguities that lead to different implementations in different operating systems. As a result, if the IDS runs on UNIX and the end-host runs on Windows, they may not process certain packets exactly the same way. By exploiting these differences, the attacker hopes that the IDS would miss detecting the attack traffic, while the end-host will be affected by the attack traffic as intended by the attacker.
Defense-in-Depth Strategy - IDS
Because IDSs are not always effective, they need to be part of a defense-in-depth strategy that may also include: - encryption of sensitive information - detailed audit trails - strong authentication and authorization controls - active management of operating system - and application security.
Intrusion Examples
By intrusion, we mean any attack that aims to compromise the security goals of an organization. For example: • Performing a remote root compromise of an e-mail server • Defacing a Web server with inappropriate web contents • Guessing and cracking passwords • Stealing a database containing credit card numbers • Reading sensitive data, including payroll records and medical information, without authorization • Running a packet sniffer on a workstation to capture usernames and passwords • Using a permission error on an anonymous FTP server to distribute pirated software and music files • Dialing into an unsecured modem and gaining internal network access • Posing as an executive, calling the help desk, resetting the executive's e-mail password, and learning the new password • Using an unattended, logged-in workstation without permission
Statistical Approaches
Characteristics: ●Use captured sensor data ●Multivariate models using time of and order of the event Advantages: ●their relative simplicity ●low computation cost ●lack of assumptions about expected behavior Disadvantages: ●difficulty selecting suitable metrics ●not all behaviors can be modeled using these approaches.
when it comes to designing an intrusion detection system, we must consider the following
Components of intrusion detection systems: ●From an algorithmic perspective: - Features - capture intrusion evidences - Models - piece evidences together ●From a system architecture perspective: - Audit data processor, knowledge base, decision engine, alarm generation and responses
Misuse or Signature Detection Detect intrusion by:
Detect intrusion by: ●observing events in the system ●applying a set of patterns or rules to the data ●determining if the is intrusive or normal
QUIZ: Select the characteristics that best match Intrusion Detection System and those that best match Firewalls - tries to stop intrusion from happening - tries to evaluate an intrusion after it has happened -watches for intrusions that start within the system -limits access between networks to prevent intrusion
Firewalls and IDS's are both part of a network security system. A firewall is designed to prevent an intrusion and an IDS is designed to detect an intrusion. F - tries to stop intrusion from happening I - tries to evaluate an intrusion after it has happened I -watches for intrusions that start within the system F -limits access between networks to prevent intrusion
Snort Rule Example: alert tcp any any -> 192.168.1.0/24 25 (content: "mail from: root"; msg: "root users attempts to send an email";)
Here is an example of Snort rule. The root user account should be used only for specific privileged systems and network admin operations, such as backing up file systems and setting up sub networks. It is uncommon to send email using the root account, and such an event should trigger an alert. Here is an example Snort rule. It looks at traffic to the SMTP port on any host in the /24 network, and checks if content of the email payload contains "mail from: root", which indicates a root user on any machine sending email. The content keyword is one of the more important features of Snort. It allows the user to set rules that search for specific content in the packet payload and trigger response based on that data
Misuse Signature Intruder Detection Example
Here is an example of a misuse detection approach. The IDS matches the observed activities using a set of attack signatures. If there is match, the IDS outputs an alert.
Anomaly Detection Example
Here is an example of a very simple anomaly detection approach. First, establish the normal run-time profile of a program, for example, in terms of CPU utilization, memory size, etc. This can be accomplished by running a program many times, and each time, record the values of these measurements, and then compute the means and variances. Once the profile is built, when the IDS observes that when the program is run, its measures deviate from the means beyond the allowed thresholds, or, the variances, meaning the values are outside of the normal ranges, the IDS outputs an alert.
Components of Intrusion Detection Systems
Here is an illustration of the workflow of intrusion detection, as well as the main components of an IDS. The input to an IDS is data that describes activities on systems and network. The data is processed by the Data Preprocessor to extract activity records that are of security interests, and these activity data needs to be analyzed by the Detection Engine, which uses the detection models already constructed for the IDS. If a detection rule determines that there is an intrusion, the IDS produces an alert. The decision engine then decides the appropriate action on the alert, e.g., a response that automatically blocks a network connection, or a report that is sent to the security admin. Again, for the IDS to work properly, we assume that system activities are observable and are captured in the input data to the IDS, and when detection models are applied to the data, normal and intrusive activities show distinct evidence.
Honeypots
Honeypots are decoy systems designed to lure attackers away from critical systems. Honeypots are designed to: ●divert an attacker ●collect information about an attacker ●encourage an attacker to stay long enough for administrators to respond ●Honeypots are filled with fabricated information ●Any accesses to honeypot trigger monitors and event loggers ●An attack against a honeypot is made to seem successful ●A honeypot has no production value ●There is no legitimate reason to access a honeypot ●Any attempt to communicate with a honeypot is most likely a probe, scan, or attack ●If a honeypot initiates outbound traffic, the system is most likely compromised
Honeypot Classifications
Honeypots are typically classified as being either low or high interaction. Low interaction honeypot: ●Emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of those services or systems ●Provides a less realistic target ●Often sufficient for use as a component of a distributed IDS to warn of imminent attack High interaction honeypot ●A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers ●More realistic target that may occupy an attacker for an extended period ●However, it requires significantly more resources
Intrusion Detection Summary
In this lecture, we discussed the main intrusion detection approaches, in particular, the pros and cons of anomaly detection and misuse or signature detection. There are several types of intrusion detection systems, including network IDS, intrusion prevention systems, and honeypots. True positive and false positive rates are the most widely performance metrics. And the effect of false positive is highlighted by the base-rate fallacy. IDS can be bypassed by insertion and evasion attacks, and disabled by DoS attacks.
Rule Based Detection (Misuse Detection()
Instead of using only signatures of known attacks, a misuse detection systems can also use a more sophisticated, rule-based approach. ●Involves the use of rules for identifyingknown penetrations or penetrations thatwould exploit known weaknesses ●Rules can also be defined that identify suspicious behavior ●Typically rules used are specific ●SNORT is an example of a rule-based NIDS
Intrusion detection systems (IDS)
Intrusion detection systems, or IDSs for short, are designed to aid countering these types of threats. They can be reasonably effective against known, less sophisticated attacks, such as those by activist groups or large-scale email scams. They are likely less effective against the more sophisticated, targeted attacks by some criminal or state-sponsored intruders, since these attackers are more likely to use new, zero-day exploits, and to better obscure their activities on the targeted system.
Signature Approaches
Many misused detection approach are signature based. ●Match a large collection of known patterns of malicious data against data stored on a system or in transit over a network ●The signatures need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data ●Widely used in anti-virus products, network traffic scanning proxies, and in NIDS
Quiz: Types of Backdoors Quiz Compiler Backdoor
Not only can a compiler back door insert a backdoor when compiling a program, it can also detect when it is being compiled itself and re-insert its own backdoor.
Quiz: Types of Backdoors Quiz Object Code Backdoors
Object Code Backdoors are inserted into machine code at either compilation, assembly linking, or loading. These types of backdoors are easier to detect through checksums and disassemblers.
NIDS QUIZ Can you think of a way to reduce the impact of excessive reporting on a system's administrator?
One method is to prioritize the alerts by adding a security level. The security level is based on the seriousness of the attack and the accuracy of the signature. For example, if a signature creates more than 90% false positives, then even a serious attack can be assigned a low level of threat.
Inline Sensors
One type of IDS configuration is inline sensors. The primary motivation for the use of inline sensors is to enable them to block an attack when one is detected. In this case the device is performing both intrusion detection and intrusion prevention functions. Sensors can be deployed in one of two modes: inline and passive. An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. One way to achieve an inline sensor is to combine NIDS sensor logic with another network device, such as a firewall or a LAN switch. This approach has the advantage that no additional separate hardware devices are needed; all that is required is NIDS sensor software.
Bayesian Detection Rate
P(I) is prior probability of attacks: this is the probability of intrusion evidences in the data. ●P(I) is base rate: prior probability of attacks ●Base-rate fallacy ●Even if false alarm rate P(A|¬I) is very low, Bayesian detection rate P(I|A) is still low if base-rate P(I) is low ●E.g. if P(A|I) = 1, P(A|¬I) = 10-5, P(I) = 2×10-5, P(I|A) = 66% When the IDS produces an alert, the probability that an intrusion has actually occurred is low. ●Implications to IDS ●Design algorithms to reduce false alarm rate ●Deploy IDS to appropriate point/layer with sufficiently high base rate ●Multiple independent detection models
Defense in Depth
Recall the defense-in-depth principle: we need multiple layers of defense mechanisms. That is, we need detection mechanisms even after we have deployed prevention mechanisms to detect attacks that can't be easily prevented, or, kept out of our networks and systems. We've discussed firewalls, a prevention mechanism. Today we discuss detection mechanisms. Typically, these mechanisms are called intrusion detection systems.
DoS Attacks on Network IDS
Resource exhaustion ●CPU resources ●Memory ●Network bandwidth Abusing reactive IDS ●False positives ●Nuisance attacks or "error" packets/connections
Check all those who can write rules for SNORT: ● Users of SNORT ● The SNORT Community ● Talos Security Intelligence and Research Team
SNORT has the an advantage of detecting zero day attacks by using rules to detect vulnerabilities. Who can write SNORT rules? SOLUTION:As open source software, everyone can write rules for SNORT. The rules can be submitted for approval by Talos and shared with the SNORT community.
SNORT
Snort is an open source, highly configurable and portable host-based or network-based IDS. Snort is referred to as a lightweight IDS, which has the following characteristics ●Easily deployed on most nodes ●Efficient operation ●Easily configured by system administrators ●Performs real-time packet capture ●Detects a variety of attacks and probes
Snort Rules
Snort uses a simple, flexible rule definition language that generates the rules used by the detection engine. Although the rules are simple and straightforward to write, they are powerful enough to detect a wide variety of hostile or suspicious traffic. Each rule consists of a fixed header and zero or more options.
A Variety of Classification Approaches ●Statistical ● Knowledge-based ●Machine-learning
The anomaly detection approach involves first developing a model of legitimate user behavior by collecting and processing sensor data from the normal operation of the monitored system in a training phase. This may occur at distinct times, or there may be a continuous process of monitoring and evolving the model over time. Once this model exists, current observed behavior is compared with the model in order to classify it as either legitimate or anomalous activity in a detection phase. A variety of classification approaches are used, which [GARC09] broadly categorized as: ●Statistical: Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics. ● Knowledge-based: Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior. ●Machine-learning: Approaches automatically determine a suitable classification model from the training data using data mining techniques. They also note two key issues that affect the relative performance of these alternatives, the efficiency, and cost of the detection process.
Snort Rule Actions
The header has the following elements: The most important field in a Snort rule header is the action field ● Action: The rule action tells Snort what to do when it finds a packet that matches the rule criteria. The table lists the available actions. The last three actions in the list (drop, reject, sdrop) are only available in inline mode. Following the rule header may be one or more rule options. Each option consists of: an option keyword, which defines the option; followed by arguments, which specify the details of the option. In the written form, the set of rule options is separated from the header by being enclosed in parentheses. Snort rule options are separated from each other using the semicolon (;) character. Rule option keywords are separated from their arguments with a colon (:) character.
Intruder Behavior
The techniques and behavior patterns of intruders are constantly shifting to exploit newly discovered weaknesses and to evade detection and countermeasures. However, intruders typically use steps from a common attack methodology. Typically the steps are ... • Target Acquisition and Information Gathering: that is, the attacker identifies and characterizes the target systems using publicly available information, both technical and non-technical, and use network exploration tools to map target resources. • Initial Access: this is typically accomplished by exploiting a remote network vulnerability, e.g., by guessing weak authentication credentials used in a remote service, or via the installation of malware on the system using some form of social engineering or drive-by-download. • Privilege Escalation: Actions taken on the system, typically via a local access vulnerability, to increase the privileges available to the attacker to enable their more powerful attacks on the target system. • Information Gathering or System Exploit: Actions by the attacker to access or modify information or resources on the system, or to navigate to another target system. • Maintaining Access: Actions such as the installation of backdoors or other malicious software, or through the addition of covert authentication credentials or other configuration changes to the system, to enable continued access by the attacker after the initial attack. • Covering Tracks: Where the attacker disables or edits audit logs, to remove evidence of attack activity, and uses rootkits and other measures to hide covertly installed files or code.
Anomalous Behavior Quiz One of the weaknesses of anomalous intruder detection is that a system must learn what is normal behavior. While it is learning this, the network is vulnerable to attack. What can be done to mitigate this weakness?
The weakness can be mitigated by also using a system that checks for known attack methods, such as a Firewall.
Snort Rule Options
There are four major categories of rule options: ● meta-data: Provide information about the rule but do not have any effect during detection ●payload: Look for data inside the packet payload and can be interrelated ● non-payload: Look for non-payload data ● post-detection: Rule-specific triggers that happen after a rule has matched a packet
Intrusion Detection Approaches
There are several ways to look at different intrusion detection approaches. Modeling and analysis ●Misuse detection (a.k.a. signature-based) ●Anomaly detection Deployment ●Host-based ●Network-based Development and maintenance ●Hand-coding of "expert knowledge" ●Learning based on data
Which of these characteristics describes the statistical approach and which describes a knowledge-based approach? Write S or K in the box: ●Any action that does not fit the normal behavior profile is considered an attack. ●Any action that is not classified as normal is considered to be an attack.
There is a fundamental difference between statistical and knowledge-based intruder detection approaches. Knowledge-based approaches use security experts to define the possible normal, or, acceptable behaviors, statistical approaches collect data on normal behavior and learn a profile using an algorithm. ●Any action that does not fit the normal BEHAVIOR PROFILE is considered an attack: S ●Any action that is not classified as normal is considered to be an attack: K
Quiz: Types of Backdoors Quiz Asymmetric Backdoors
This backdoor can only be used by the person who created it, even if it is discovered by others Asymmetric Backdoors can only be used by their creator, even if it is fully exposed. This type of backdoor is part of a field known as cryptovirology and can be very difficult to detect.
Anomaly Detection Quiz If malicious activity looks like normal traffic to the system, it will not detect an attack.
True
Anomaly Detection Quiz The longer the system is in use, the more it learns about network activity.
True
Anomaly Detection Quiz If malicious activity looks like normal traffic to the system, it will not detect an attack.
True Because anomaly detection detects what looks NOT like normal
Quiz: True or False - An intruder can also be referred to as a hacker or cracker.
True We sometimes use hacker to refer to an intruder
IDS Quiz: True or False ●Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. ●The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts. ●Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behavior. ●An network IDS sensor monitors a copy of network traffic; the actual traffic does not pass through the device. ●Network-based intrusion detection makes use of signature detection and anomaly detection.
True True False: Signature-based : known network instruction True True
Check any item that is true. To defeat an IDS, attackers can: ●Send a huge amount of traffic ●Embed attack in packets what cause non-uniform processing by different operating systems, e.g., bad checksum, overlapping fragments ● Send traffic that purposely matches detection rules ●Send a packet that would trigger a buffer-overload in the IDS code
Yes to all
Passive Sensors
●A passive sensor monitors a copy of network traffic; the actual traffic does not pass through the device ●Passive sensors are more efficient This illustrates a typical passive sensor configuration. The sensor connects to the network transmission medium, such as a fiber optic cable, by a direct physical tap. The tap provides the sensor with a copy of all network traffic being carried by the medium. The network interface card (NIC) for this tap usually does not have an IP address configured for it. All traffic into this NIC is simply collected with no protocol interaction with the network. The sensor has a second NIC that connects to the network with an IP address and enables the sensor to communicate with a NIDS management server.
Evaluating IDS Algorithm
●Alarm/positive: A; Intrusion: I ●Detection (true positive) rate: P(A|I) ●False negative rate P(¬A|I) ●False alarm rate: P(A|¬I) ●True negative rate P(¬A|¬I) ●Bayesian detection rate: P(I|A) For the point of view of system architecture, we want the IDS to be scalable, meaning that it can function at high-speed networks. We also want the IDS to be resilient to attacks, meaning that it is not easily disabled by attacks that target the IDS.
Intrusion Prevention Systems (IPS)
●Also known as Intrusion Detection and Prevention System (IDPS) ●Is an extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity ●Can be host-based, network-based, or distributed/hybrid ●Can use anomaly detection to identify behavior that is not that of legitimate users, or signature/heuristic detection to identify known malicious behavior can block traffic as a firewall does, but makes use of the types of algorithms developed for IDSs to determine when to do so
Network Based IDS (NIDS)
●Monitors traffic at selected points on anetwork in real or close to real time ●May examine network, transport, and/or application-level protocol activity ●Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface ●Analysis of traffic patterns may be done at the sensor, the management server or a combination of the two
Architecture of Network IDS
●Packet data volume can be huge ●Base rate at the packet level is typically low ●Applying detection algorithms at this level may result in a low bayesian detection rate Instead, we can apply detection models to data that has higher base rate. This can be accomplished in a number of steps. First, we can apply filters to the packet data, e.g., by instructing libpcap to capture only packets to certain hosts and ports. Second, the event engine analyzes the filtered packet data and summarizes into security-related events, such a failed log-ins. Finally, detection models are applied to the security-related event data. (Show in layers) As we can see, the volume data is decreased first by the packet filter and then the event engine. Therefore, as long as we can keep the intrusion evidences in the event data, the base rate is going to be lot higher than the original packet data. As a result, the IDS model applied to event data will yield higher bayesian detection rate.
Write the name of each attack next to it's definition. The choices are Scanning Attack (S), DOS(D), and Penetration Attack(P). ● an attacker sends various kinds of packets to probe a system or network for a vulnerability that can be exploited ●attempts to slow down or completely shut down a target so as to disrupt the service for legitimate users ●an attacker gains an unauthorized control of a system
●Scanning Attack - an attacker sends various kinds of packets to probe a system or network for a vulnerability that can be exploited ●Denial of Service - attempts to slow down or completely shut down a target so as to disrupt the service for legitimate users ●Penetration Attack - an attacker gains unauthorized control of a system
Limitations of Anomaly Detection
●They are generally trained on legitimate data ●This limits the effectiveness of some of the techniques discussed.
Machine Learning Approaches
●Use data mining techniques to develop a model that can classify data as normal or anomalous Advantages: ●Flexibility ●Adaptability ●Ability to capture interdependencies between observed metrics Disadvantages: ●Dependency on assumptions about accepted behavior ●High false alarm rate ●High resource cost ●Significant time and computational resources
Machine Learning Quiz Which description best describes the Machine Learning approach for Intruder Detection: ●detects new and novel attacks ●detects attacks similar to past attacks
●detects attacks similar to past attacks Machine learning approach is best at detecting an attack that is similar to a previous, learned attack.
