intrusion detectiontaylorpat/courses_files/introsecurity/content/... · intrusion detection...

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly

Signature orheuristic

Host-based

Data sourcesand sensors

Anomaly


Distributed

Network-based

Types ofnetwork sensors

Sensor locations

ID techniques

Logging alerts

Distributed orhybrid

ID datastandards

Honeypots

Example:Snort

Intrusion Detection

Comp Sci 3600 Security

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline

1 IntroductionIntrudersIntrusion detection

2 AnalysisAnomalySignature or heuristic

3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed

4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts

5 Distributed or hybrid

6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Classes of Intruders

• Individuals or members of an organized crime group with agoal of financial reward

• Their activities may include:• Identity theft• Theft of financial credentials• Corporate espionage• Data theft• Data ransoming

• Typically meet in underground forums to trade tips anddata and coordinate attacks

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Intruders - Activists

• Are either individuals, usually working as insiders, ormembers of a larger group of outsider attackers, who aremotivated by social or political causes

• Also know as hacktivists

• Skill level is often low

• Aim of their attacks is often to promote and publicizetheir cause typically through:

• Website defacement• Denial of service attacks• Theft and distribution of data that results in negative

publicity or compromise of their targets

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Intruders - State-Sponsored Organizations

• Groups of hackers sponsored by governments to conductespionage or sabotage activities

• Also known as Advanced Persistent Threats (APTs) dueto the covert nature and persistence over extended periodsinvolved with any attacks in this class

• Widespread nature and scope of these activities by a widerange of countries from China to the USA, UK, and theirintelligence allies

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Intruders - Others

• Include classic hackers or crackers who are motivated bytechnical challenge or by peer-group esteem and reputation

• Many of those responsible for discovering new categoriesof buffer overflow vulnerabilities could be regarded asmembers of this class

• Given the wide availability of attack toolkits, there is apool of “hobby hackers” using them to explore system andnetwork security

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Intruder Skill Levels - Apprentice

• Hackers with minimal technical skill who primarily useexisting attack toolkits

• They likely comprise the largest number of attackers,including many criminal and activist attackers

• Given their use of existing known tools, these attackers arethe easiest to defend against

• Also known as “script-kiddies” due to their use of existingscripts (tools)

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Intruder Skill Levels - Journeyman

• Hackers with sufficient technical skills to modify andextend attack toolkits to use newly discovered, orpurchased, vulnerabilities

• They may be able to locate new vulnerabilities to exploitthat are similar to some already known

• Hackers with such skills are likely found in all intruderclasses

• Adapt tools for use by others

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Intruder Skill Levels - Master

• Hackers with high-level technical skills capable ofdiscovering brand new categories of vulnerabilities

• Write new powerful attack toolkits

• Some of the better known classical hackers are of this level

• Some are employed by state-sponsored organizations

• Defending against these attacks is of the highest difficulty

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Examples of Intrusion

• Performing a remote root compromise of an e-mail server• Defacing a Web server• Guessing and cracking passwords• Copying a database containing credit card numbers• Viewing sensitive data, including payroll records and

medical information, without authorization• Running a packet sniffer on a workstation to capture

usernames and passwords• Using a permission error on an anonymous FTP server to

distribute pirated software and music files• Dialing into an unsecured modem and gaining internal

network access• Posing as an executive, calling the help desk, resetting the

executive’s e-mail password, and learning the newpassword

• Using an unattended, logged-in workstation withoutpermission

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Intruder Behavior

• Target acquisition and information gathering

• Initial access

• Privilege escalation

• Information gathering and system exploit

• Maintaining access

• Covering tracks

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Target Acquisition and Information Gathering

• Explore corporate website for information on corporatestructure, personnel, key systems, as well as details ofspecific web server and OS used.

• Gather information on target network using DNS lookuptools such as dig, host, and others; and query WHOISdatabase.

• Map network for accessible services using tools such asNMAP.

• Send query email to customer service contact, reviewresponse for information on mail client, server, and OSused, and also details of person responding.

• Identify potentially vulnerable services, eg vulnerable webCMS.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Initial Access

• Brute force (guess) a user’s web content managementsystem (CMS) password.

• Exploit vulnerability in web CMS plugin to gain systemaccess.

• Send spear-phishing email with link to web browser exploitto key people.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Privilege Escalation

• Scan system for applications with local exploit.

• Exploit any vulnerable application to gain elevatedprivileges.

• Install sniffers to capture administrator passwords.

• Use captured administrator password to access privilegedinformation.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Information Gathering or System Exploit

• Scan files for desired information.

• Transfer large numbers of documents to externalrepository.

• Use guessed or captured passwords to access other serverson network.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Maintaining Access

• Install remote administration tool or rootkit with backdoorfor later access.

• Use administrator password to later access network.

• Modify or disable anti-virus or IDS programs running onsystem.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Covering Tracks

• Use rootkit to hide files installed on system.

• Edit logfiles to remove entries generated during theintrusion.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Definitions

Security Intrusion: A security event, or a combination ofmultiple security events, that constitutes asecurity incident in which an intruder gains, orattempts to gain, access to a system (or systemresource) without having authorization to do so.

Intrusion Detection: A security service that monitors andanalyzes system events for the purpose of finding,and providing real-time or near real-time warningof, attempts to access system resources in anunauthorized manner.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Intrusion Detection System (IDS)

• Sensors - collect data

• Analyzers - determine if intrusion has occurred

• User interface - view output or control system behavior

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Intrusion Detection System (IDS)

Host-based IDS (HIDS)

• Monitors the characteristics of a single host for suspiciousactivity

Network-based IDS (NIDS)

• Monitors network traffic and analyzes network, transport,and application protocols to identify suspicious activity

Distributed or hybrid IDS

• Combines information from a number of sensors, oftenboth host and network based, in a central analyzer that isable to better identify and respond to intrusion activity

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Discrimination between normal an intruder behavior

Figure 8.1 Profiles of Behavior of Intruders and Authorized Users

overlap in observedor expected behavior

profile ofintruder behavior

profile ofauthorized user

behavior

Measurable behaviorparameter

average behaviorof intruder

average behaviorof authorized user

Probabilitydensity function

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

IDS requirements

• Run continually with minimal human supervision.• Be fault tolerant in the sense that it must be able to

recover from system crashes and reinitializations.• Resist subversion. The IDS must be able to monitor itself

and detect if it has been modified by an attacker.• Impose a minimal overhead on the system where it is

running.• Be able to be configured according to the security policies

of the system that is being monitored.• Be able to adapt to changes in system and user behavior

over time.• Be able to scale to monitor a large number of hosts.• Provide graceful degradation of service in the sense that if

some components of the IDS stop working for any reason,the rest of them should be affected as little as possible.

• Allow dynamic reconfiguration; that is, the ability toreconfigure the IDS without having to restart it.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Analysis Approaches

Anomaly detection

• Involves the collection of data relating to the behavior oflegitimate users over a period of time

• Current observed behavior is analyzed to determinewhether this behavior is that of a legitimate user or that ofan intruder

Signature/Heuristic detection

• Uses a set of known malicious data patterns or attackrules that are compared with current behavior

• Can only identify known attacks for which it has patternsor rules

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Anomaly based detection

Statistical

• Analysis of the observed behavior using univariate,multivariate, or time-series models of observed metrics

Knowledge based

• Approaches use an expert system that classifies observedbehavior according to a set of rules that model legitimatebehavior

Machine learning

• Approaches automatically determine a suitableclassification model from the training data using datamining techniques: Bayesian networks, Markov models,Neural Networks, Fuzzy logic, Genetic algorithms,Clustering, and Reinforcement learning.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Signature or heuristic based detection

Signature approaches• Match a large collection of known patterns of malicious

data against data stored on a system or in transit over anetwork

• The signatures need to be large enough to minimize thefalse alarm rate, while still detecting a sufficiently largefraction of malicious data

• Widely used in anti-virus products, network trafficscanning proxies, and in NIDS

Rule-based heuristic identification• Involves the use of rules for identifying known penetrations

or penetrations that would exploit known weaknesses• Rules can also be defined that identify suspicious behavior,

even when the behavior is within the bounds of establishedpatterns of usage

• Typically rules used are specific• SNORT is an example of a rule-based NIDS

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Host-based intrusion detection (HIDS)

• Adds a specialized layer of security software to vulnerableor sensitive systems

• Can use either anomaly or signature and heuristicapproaches

• Monitors activity to detect suspicious behavior

• Primary purpose is to detect intrusions, log suspiciousevents, and send alerts

• Can detect both external and internal intrusions

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Data sources and sensors

• Collects data

• Common data sources include:• System call traces• Audit (log file) records• File integrity checksums• Registry access

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Anomaly based detection

• The majority of work on anomaly-based HIDS has beendone on UNIX and Linux systems, given the ease ofgathering suitable data for this work.

• System calls are the means by which programs access corekernel functions, providing a wide range of interactionswith the low-level operating system functions.

• Hence they provide detailed information on process activitythat can be used to classify it as normal or anomalous.

• While using system call traces provides arguably therichest information source for a HIDS, it does impose amoderate load on the monitored system to gather andclassify this data.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Signature or heuristic based detection

• Anti-virus (A/V), more correctly viewed as anti-malware,products.

• Very commonly used on Windows systems, and alsoincorporated into mail and web application proxies onfirewalls and in network based IDSs.

• They use either a database of file signatures, which arepatterns of data found in known malicious software, orheuristic rules that characterize known malicious behavior.

• Quite efficient at detecting known malware, however theyare not capable of detecting zero-day attacks that do notcorrespond to the known signatures or heuristic rules.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Distributed HIDS

Three main components:

1 Host agent module: An audit collection moduleoperating as a background process on a monitored system.Its purpose is to collect data on security-related events onthe host and transmit these to the central manager.

2 LAN monitor agent module: Operates in the samefashion as a host agent module except that it analyzesLAN traffic and reports the results to the central manager.

3 Central manager module: Receives reports from LANmonitor and host agents and processes and correlatesthese reports to detect intrusion.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Distributed HIDS

Central Manager

LAN Monitor Host Host

Agentmodule

Router

Internet

Figure 8.2 Architecture for Distributed Intrusion Detection

Managermodule

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Agent architectureOS audit

information

Alerts

Modifications

Query/response

Notableactivity;

Signatures;Noteworthy

sessions

Host audit record (HAR)

Figure 8.3 Agent Architecture

Filter forsecurityinterest

Reformatfunction

OS auditfunction

Analysismodule

Templates

Centralmanager

Logicmodule

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Network-based NIDS

• Monitors traffic at selected points on a network

• Examines traffic packet by packet in real or close to realtime

• May examine network, transport, and/or application-levelprotocol activity

• Comprised of a number of sensors, one or more servers forNIDS management functions, and one or moremanagement consoles for the human interface

• Analysis of traffic patterns may be done at the sensor, themanagement server or a combination of the two

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Sensor types: inline and passive

• An inline sensor is inserted into a network segment sothat the traffic that it is monitoring must pass through thesensor. One way to achieve an inline sensor is to combineNIDS sensor logic with another network device, such as afirewall or a LAN switch.

• A passive sensor monitors a copy of network traffic; theactual traffic does not pass through the device. From thepoint of view of traffic flow, the passive sensor is moreefficient than the inline sensor, because it does not add anextra handling step that contributes to packet delay.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Passive NIDS sensor

NIDSsensor

Figure 8.4 Passive NIDS Sensor

Network traffic

Monitoring interface(no IP, promiscuous mode)

Management interface(with IP)

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Sensor deployment locations

Internet

workstationnetworks

externalfirewall

internalfirewall

internalfirewall

LAN switchor router

LAN switchor router

LAN switchor router

Figure 8.5 Example of NIDS Sensor Deployment

internal serverand data resource

networks

service network(Web, Mail, DNS, etc.)

2

1

3

4

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Intrusion detection techniques

Attacks suitable for signature detection

• Application layer reconnaissance and attacks

• Transport layer reconnaissance and attacks

• Network layer reconnaissance and attacks

• Unexpected application services

• Policy violations

Attacks suitable for anomaly detection

• Denial-of-service (DoS) attacks

• Scanning

• Worms

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Stateful Protocol Analysis (SPA)

• Subset of anomaly detection that compares observednetwork traffic against predetermined universal vendorsupplied profiles of benign protocol traffic

• This distinguishes it from anomaly techniques trained withorganization specific traffic protocols

• Understands and tracks network, transport, andapplication protocol states to ensure they progress asexpected

• A key disadvantage is the high resource use it requires

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Logging alerts

Typical information logged by a NIDS sensor includes:

• Timestamp

• Connection or session ID

• Event or alert type

• Rating

• Network, transport, and application layer protocols

• Source and destination IP addresses

• Source and destination TCP or UDP ports, or ICMP typesand codes

• Number of bytes transmitted over the connection

• Decoded payload data, such as application requests andresponses

• State-related information

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Distributed or hybrid HIDS

• Does not rely solely on perimeter defense mechanisms,such as firewalls, or on individual host-based defenses.

• Instead, each end host and each network device (e.g.,routers) is considered to be a potential sensor and mayhave the sensor software module installed.

• Sensors in this distributed configuration can exchangeinformation to corroborate the state of the network (i.e.,whether an attack is under way).

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Distributed or hybrid HIDS

Distributed detectionand inference

Platformpolicies

Figure 8.6 Overall Architecture of an Autonomic Enterprise Security System

Platformpolicies

Platformpolicies

Adaptive feedbackbased policies

Networkpolicies

PEPevents

PEP = policy enforcement pointDDI = distributed detection and inference

DDIevents

Summaryevents

Platformevents

Platformevents

Collaborativepolicies

gossip

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

IETF Intrusion Detection Working Group

• Purpose is to define data formats and exchangeprocedures for sharing information of interest to intrusiondetection and response systems and to managementsystems that may need to interact with them

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

General message exchange framework

Data

source

Sensor

Sensor

Analyzer

Manager

Response

Activity

Event

Event

Alert

Notification

Operator

Administrator

Securitypolicy

Figure 8.7 Model For Intrusion Detection Message Exchange

Securitypolicy

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

General message exchange framework

• Data source: Common data sources include networkpackets, operating system audit logs, application auditlogs, and system-generated checksum data.

• Sensor: Collects data from the data source. The sensorforwards events to the analyzer.

• Analyzer: The ID component or process that analyzes thedata collected by the sensor for signs of unauthorized orundesired activity or for events that might be of interest tothe security administrator.

• Administrator: The human with overall responsibility forsetting the security policy of the organization, and, thus,for decisions about deploying and configuring the IDS.

• Manager: Management functions typically include sensorconfiguration, analyzer configuration, event notificationmanagement, data consolidation, and reporting.

• Operator: The human operator often monitors the outputof the IDS and initiates or recommends further action.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Honeypots

• Decoy systems designed to:• Lure a potential attacker away from critical systems• Collect information about the attacker’s activity• Encourage the attacker to stay on the system long enough

for administrators to respond

• Systems are filled with fabricated information that alegitimate user of the system wouldn’t access

• Resources that have no production value

• Incoming communication is most likely a probe, scan, orattack

• Initiated outbound communication suggests that thesystem has probably been compromised

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Honeypot types

• Low interaction honeypot• Consists of a software package that emulates particular IT

services or systems well enough to• provide a realistic initial interaction, but does not execute

a full version of those services or systems• Provides a less realistic target• Often sufficient for use as a component of a distributed

IDS to warn of imminent attack

• High interaction honeypot• A real system, with a full operating system, services and

applications, which are instrumented and deployed wherethey can be accessed by attackers

• Is a more realistic target that may occupy an attacker foran extended period

• However, it requires significantly more resources• If compromised could be used to initiate attacks on other

systems

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Honeypot locations

Internet

Externalfirewall

Honeypot

Honeypot

Honeypot

LAN switchor router

LAN switchor router

Figure 8.8 Example of Honeypot Deployment

Internalnetwork

Service network(Web, Mail, DNS, etc.)

2

1

3

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Outline






6 ID data standards

7 Honeypots

8 Example: Snort

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Example: Snort

• Snort is a free and open source network intrusionprevention system (NIPS) and network intrusion detectionsystem (NIDS)

• Real-time traffic analysis and packet logging on IPnetworks, protocol analysis, content searching andmatching.

• Detect probes or attacks, including, but not limited to,operating system fingerprinting attempts, semantic URLattacks, buffer overflows, server message block probes, andstealth port scans.

• Three main modes1 Sniffer mode, read network packets and display them on

the console.2 Packet logger mode, log packets to the disk.3 Intrusion detection mode, monitor network traffic and

analyze it against a rule set defined by the user. Theprogram will then perform a specific action based on whathas been identified.

Introduction

Intruders

Intrusiondetection

Analysis

Anomaly


Host-based


Anomaly


Distributed

Network-based


Sensor locations

ID techniques

Logging alerts


ID datastandards

Honeypots

Example:Snort

Snort

intrusion detectiontaylorpat/courses_files/introsecurity/content/... · intrusion detection...

Documents