intrusion detectiontaylorpat/courses_files/introsecurity/content/... · intrusion detection...
TRANSCRIPT
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intrusion Detection
Comp Sci 3600 Security
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Classes of Intruders
• Individuals or members of an organized crime group with agoal of financial reward
• Their activities may include:• Identity theft• Theft of financial credentials• Corporate espionage• Data theft• Data ransoming
• Typically meet in underground forums to trade tips anddata and coordinate attacks
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intruders - Activists
• Are either individuals, usually working as insiders, ormembers of a larger group of outsider attackers, who aremotivated by social or political causes
• Also know as hacktivists
• Skill level is often low
• Aim of their attacks is often to promote and publicizetheir cause typically through:
• Website defacement• Denial of service attacks• Theft and distribution of data that results in negative
publicity or compromise of their targets
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intruders - State-Sponsored Organizations
• Groups of hackers sponsored by governments to conductespionage or sabotage activities
• Also known as Advanced Persistent Threats (APTs) dueto the covert nature and persistence over extended periodsinvolved with any attacks in this class
• Widespread nature and scope of these activities by a widerange of countries from China to the USA, UK, and theirintelligence allies
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intruders - Others
• Include classic hackers or crackers who are motivated bytechnical challenge or by peer-group esteem and reputation
• Many of those responsible for discovering new categoriesof buffer overflow vulnerabilities could be regarded asmembers of this class
• Given the wide availability of attack toolkits, there is apool of “hobby hackers” using them to explore system andnetwork security
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intruder Skill Levels - Apprentice
• Hackers with minimal technical skill who primarily useexisting attack toolkits
• They likely comprise the largest number of attackers,including many criminal and activist attackers
• Given their use of existing known tools, these attackers arethe easiest to defend against
• Also known as “script-kiddies” due to their use of existingscripts (tools)
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intruder Skill Levels - Journeyman
• Hackers with sufficient technical skills to modify andextend attack toolkits to use newly discovered, orpurchased, vulnerabilities
• They may be able to locate new vulnerabilities to exploitthat are similar to some already known
• Hackers with such skills are likely found in all intruderclasses
• Adapt tools for use by others
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intruder Skill Levels - Master
• Hackers with high-level technical skills capable ofdiscovering brand new categories of vulnerabilities
• Write new powerful attack toolkits
• Some of the better known classical hackers are of this level
• Some are employed by state-sponsored organizations
• Defending against these attacks is of the highest difficulty
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Examples of Intrusion
• Performing a remote root compromise of an e-mail server• Defacing a Web server• Guessing and cracking passwords• Copying a database containing credit card numbers• Viewing sensitive data, including payroll records and
medical information, without authorization• Running a packet sniffer on a workstation to capture
usernames and passwords• Using a permission error on an anonymous FTP server to
distribute pirated software and music files• Dialing into an unsecured modem and gaining internal
network access• Posing as an executive, calling the help desk, resetting the
executive’s e-mail password, and learning the newpassword
• Using an unattended, logged-in workstation withoutpermission
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intruder Behavior
• Target acquisition and information gathering
• Initial access
• Privilege escalation
• Information gathering and system exploit
• Maintaining access
• Covering tracks
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Target Acquisition and Information Gathering
• Explore corporate website for information on corporatestructure, personnel, key systems, as well as details ofspecific web server and OS used.
• Gather information on target network using DNS lookuptools such as dig, host, and others; and query WHOISdatabase.
• Map network for accessible services using tools such asNMAP.
• Send query email to customer service contact, reviewresponse for information on mail client, server, and OSused, and also details of person responding.
• Identify potentially vulnerable services, eg vulnerable webCMS.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Initial Access
• Brute force (guess) a user’s web content managementsystem (CMS) password.
• Exploit vulnerability in web CMS plugin to gain systemaccess.
• Send spear-phishing email with link to web browser exploitto key people.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Privilege Escalation
• Scan system for applications with local exploit.
• Exploit any vulnerable application to gain elevatedprivileges.
• Install sniffers to capture administrator passwords.
• Use captured administrator password to access privilegedinformation.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Information Gathering or System Exploit
• Scan files for desired information.
• Transfer large numbers of documents to externalrepository.
• Use guessed or captured passwords to access other serverson network.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Maintaining Access
• Install remote administration tool or rootkit with backdoorfor later access.
• Use administrator password to later access network.
• Modify or disable anti-virus or IDS programs running onsystem.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Covering Tracks
• Use rootkit to hide files installed on system.
• Edit logfiles to remove entries generated during theintrusion.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Definitions
Security Intrusion: A security event, or a combination ofmultiple security events, that constitutes asecurity incident in which an intruder gains, orattempts to gain, access to a system (or systemresource) without having authorization to do so.
Intrusion Detection: A security service that monitors andanalyzes system events for the purpose of finding,and providing real-time or near real-time warningof, attempts to access system resources in anunauthorized manner.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intrusion Detection System (IDS)
• Sensors - collect data
• Analyzers - determine if intrusion has occurred
• User interface - view output or control system behavior
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intrusion Detection System (IDS)
Host-based IDS (HIDS)
• Monitors the characteristics of a single host for suspiciousactivity
Network-based IDS (NIDS)
• Monitors network traffic and analyzes network, transport,and application protocols to identify suspicious activity
Distributed or hybrid IDS
• Combines information from a number of sensors, oftenboth host and network based, in a central analyzer that isable to better identify and respond to intrusion activity
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Discrimination between normal an intruder behavior
Figure 8.1 Profiles of Behavior of Intruders and Authorized Users
overlap in observedor expected behavior
profile ofintruder behavior
profile ofauthorized user
behavior
Measurable behaviorparameter
average behaviorof intruder
average behaviorof authorized user
Probabilitydensity function
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
IDS requirements
• Run continually with minimal human supervision.• Be fault tolerant in the sense that it must be able to
recover from system crashes and reinitializations.• Resist subversion. The IDS must be able to monitor itself
and detect if it has been modified by an attacker.• Impose a minimal overhead on the system where it is
running.• Be able to be configured according to the security policies
of the system that is being monitored.• Be able to adapt to changes in system and user behavior
over time.• Be able to scale to monitor a large number of hosts.• Provide graceful degradation of service in the sense that if
some components of the IDS stop working for any reason,the rest of them should be affected as little as possible.
• Allow dynamic reconfiguration; that is, the ability toreconfigure the IDS without having to restart it.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Analysis Approaches
Anomaly detection
• Involves the collection of data relating to the behavior oflegitimate users over a period of time
• Current observed behavior is analyzed to determinewhether this behavior is that of a legitimate user or that ofan intruder
Signature/Heuristic detection
• Uses a set of known malicious data patterns or attackrules that are compared with current behavior
• Can only identify known attacks for which it has patternsor rules
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Anomaly based detection
Statistical
• Analysis of the observed behavior using univariate,multivariate, or time-series models of observed metrics
Knowledge based
• Approaches use an expert system that classifies observedbehavior according to a set of rules that model legitimatebehavior
Machine learning
• Approaches automatically determine a suitableclassification model from the training data using datamining techniques: Bayesian networks, Markov models,Neural Networks, Fuzzy logic, Genetic algorithms,Clustering, and Reinforcement learning.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Signature or heuristic based detection
Signature approaches• Match a large collection of known patterns of malicious
data against data stored on a system or in transit over anetwork
• The signatures need to be large enough to minimize thefalse alarm rate, while still detecting a sufficiently largefraction of malicious data
• Widely used in anti-virus products, network trafficscanning proxies, and in NIDS
Rule-based heuristic identification• Involves the use of rules for identifying known penetrations
or penetrations that would exploit known weaknesses• Rules can also be defined that identify suspicious behavior,
even when the behavior is within the bounds of establishedpatterns of usage
• Typically rules used are specific• SNORT is an example of a rule-based NIDS
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Host-based intrusion detection (HIDS)
• Adds a specialized layer of security software to vulnerableor sensitive systems
• Can use either anomaly or signature and heuristicapproaches
• Monitors activity to detect suspicious behavior
• Primary purpose is to detect intrusions, log suspiciousevents, and send alerts
• Can detect both external and internal intrusions
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Data sources and sensors
• Collects data
• Common data sources include:• System call traces• Audit (log file) records• File integrity checksums• Registry access
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Anomaly based detection
• The majority of work on anomaly-based HIDS has beendone on UNIX and Linux systems, given the ease ofgathering suitable data for this work.
• System calls are the means by which programs access corekernel functions, providing a wide range of interactionswith the low-level operating system functions.
• Hence they provide detailed information on process activitythat can be used to classify it as normal or anomalous.
• While using system call traces provides arguably therichest information source for a HIDS, it does impose amoderate load on the monitored system to gather andclassify this data.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Signature or heuristic based detection
• Anti-virus (A/V), more correctly viewed as anti-malware,products.
• Very commonly used on Windows systems, and alsoincorporated into mail and web application proxies onfirewalls and in network based IDSs.
• They use either a database of file signatures, which arepatterns of data found in known malicious software, orheuristic rules that characterize known malicious behavior.
• Quite efficient at detecting known malware, however theyare not capable of detecting zero-day attacks that do notcorrespond to the known signatures or heuristic rules.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Distributed HIDS
Three main components:
1 Host agent module: An audit collection moduleoperating as a background process on a monitored system.Its purpose is to collect data on security-related events onthe host and transmit these to the central manager.
2 LAN monitor agent module: Operates in the samefashion as a host agent module except that it analyzesLAN traffic and reports the results to the central manager.
3 Central manager module: Receives reports from LANmonitor and host agents and processes and correlatesthese reports to detect intrusion.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Distributed HIDS
Central Manager
LAN Monitor Host Host
Agentmodule
Router
Internet
Figure 8.2 Architecture for Distributed Intrusion Detection
Managermodule
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Agent architectureOS audit
information
Alerts
Modifications
Query/response
Notableactivity;
Signatures;Noteworthy
sessions
Host audit record (HAR)
Figure 8.3 Agent Architecture
Filter forsecurityinterest
Reformatfunction
OS auditfunction
Analysismodule
Templates
Centralmanager
Logicmodule
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Network-based NIDS
• Monitors traffic at selected points on a network
• Examines traffic packet by packet in real or close to realtime
• May examine network, transport, and/or application-levelprotocol activity
• Comprised of a number of sensors, one or more servers forNIDS management functions, and one or moremanagement consoles for the human interface
• Analysis of traffic patterns may be done at the sensor, themanagement server or a combination of the two
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Sensor types: inline and passive
• An inline sensor is inserted into a network segment sothat the traffic that it is monitoring must pass through thesensor. One way to achieve an inline sensor is to combineNIDS sensor logic with another network device, such as afirewall or a LAN switch.
• A passive sensor monitors a copy of network traffic; theactual traffic does not pass through the device. From thepoint of view of traffic flow, the passive sensor is moreefficient than the inline sensor, because it does not add anextra handling step that contributes to packet delay.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Passive NIDS sensor
NIDSsensor
Figure 8.4 Passive NIDS Sensor
Network traffic
Monitoring interface(no IP, promiscuous mode)
Management interface(with IP)
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Sensor deployment locations
Internet
workstationnetworks
externalfirewall
internalfirewall
internalfirewall
LAN switchor router
LAN switchor router
LAN switchor router
Figure 8.5 Example of NIDS Sensor Deployment
internal serverand data resource
networks
service network(Web, Mail, DNS, etc.)
2
1
3
4
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Intrusion detection techniques
Attacks suitable for signature detection
• Application layer reconnaissance and attacks
• Transport layer reconnaissance and attacks
• Network layer reconnaissance and attacks
• Unexpected application services
• Policy violations
Attacks suitable for anomaly detection
• Denial-of-service (DoS) attacks
• Scanning
• Worms
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Stateful Protocol Analysis (SPA)
• Subset of anomaly detection that compares observednetwork traffic against predetermined universal vendorsupplied profiles of benign protocol traffic
• This distinguishes it from anomaly techniques trained withorganization specific traffic protocols
• Understands and tracks network, transport, andapplication protocol states to ensure they progress asexpected
• A key disadvantage is the high resource use it requires
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Logging alerts
Typical information logged by a NIDS sensor includes:
• Timestamp
• Connection or session ID
• Event or alert type
• Rating
• Network, transport, and application layer protocols
• Source and destination IP addresses
• Source and destination TCP or UDP ports, or ICMP typesand codes
• Number of bytes transmitted over the connection
• Decoded payload data, such as application requests andresponses
• State-related information
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Distributed or hybrid HIDS
• Does not rely solely on perimeter defense mechanisms,such as firewalls, or on individual host-based defenses.
• Instead, each end host and each network device (e.g.,routers) is considered to be a potential sensor and mayhave the sensor software module installed.
• Sensors in this distributed configuration can exchangeinformation to corroborate the state of the network (i.e.,whether an attack is under way).
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Distributed or hybrid HIDS
Distributed detectionand inference
Platformpolicies
Figure 8.6 Overall Architecture of an Autonomic Enterprise Security System
Platformpolicies
Platformpolicies
Adaptive feedbackbased policies
Networkpolicies
PEPevents
PEP = policy enforcement pointDDI = distributed detection and inference
DDIevents
Summaryevents
Platformevents
Platformevents
Collaborativepolicies
gossip
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
IETF Intrusion Detection Working Group
• Purpose is to define data formats and exchangeprocedures for sharing information of interest to intrusiondetection and response systems and to managementsystems that may need to interact with them
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
General message exchange framework
Data
source
Sensor
Sensor
Analyzer
Manager
Response
Activity
Event
Event
Alert
Notification
Operator
Administrator
Securitypolicy
Figure 8.7 Model For Intrusion Detection Message Exchange
Securitypolicy
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
General message exchange framework
• Data source: Common data sources include networkpackets, operating system audit logs, application auditlogs, and system-generated checksum data.
• Sensor: Collects data from the data source. The sensorforwards events to the analyzer.
• Analyzer: The ID component or process that analyzes thedata collected by the sensor for signs of unauthorized orundesired activity or for events that might be of interest tothe security administrator.
• Administrator: The human with overall responsibility forsetting the security policy of the organization, and, thus,for decisions about deploying and configuring the IDS.
• Manager: Management functions typically include sensorconfiguration, analyzer configuration, event notificationmanagement, data consolidation, and reporting.
• Operator: The human operator often monitors the outputof the IDS and initiates or recommends further action.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Honeypots
• Decoy systems designed to:• Lure a potential attacker away from critical systems• Collect information about the attacker’s activity• Encourage the attacker to stay on the system long enough
for administrators to respond
• Systems are filled with fabricated information that alegitimate user of the system wouldn’t access
• Resources that have no production value
• Incoming communication is most likely a probe, scan, orattack
• Initiated outbound communication suggests that thesystem has probably been compromised
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Honeypot types
• Low interaction honeypot• Consists of a software package that emulates particular IT
services or systems well enough to• provide a realistic initial interaction, but does not execute
a full version of those services or systems• Provides a less realistic target• Often sufficient for use as a component of a distributed
IDS to warn of imminent attack
• High interaction honeypot• A real system, with a full operating system, services and
applications, which are instrumented and deployed wherethey can be accessed by attackers
• Is a more realistic target that may occupy an attacker foran extended period
• However, it requires significantly more resources• If compromised could be used to initiate attacks on other
systems
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Honeypot locations
Internet
Externalfirewall
Honeypot
Honeypot
Honeypot
LAN switchor router
LAN switchor router
Figure 8.8 Example of Honeypot Deployment
Internalnetwork
Service network(Web, Mail, DNS, etc.)
2
1
3
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Outline
1 IntroductionIntrudersIntrusion detection
2 AnalysisAnomalySignature or heuristic
3 Host-basedData sources and sensorsAnomalySignature or heuristicDistributed
4 Network-basedTypes of network sensorsSensor locationsID techniquesLogging alerts
5 Distributed or hybrid
6 ID data standards
7 Honeypots
8 Example: Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Example: Snort
• Snort is a free and open source network intrusionprevention system (NIPS) and network intrusion detectionsystem (NIDS)
• Real-time traffic analysis and packet logging on IPnetworks, protocol analysis, content searching andmatching.
• Detect probes or attacks, including, but not limited to,operating system fingerprinting attempts, semantic URLattacks, buffer overflows, server message block probes, andstealth port scans.
• Three main modes1 Sniffer mode, read network packets and display them on
the console.2 Packet logger mode, log packets to the disk.3 Intrusion detection mode, monitor network traffic and
analyze it against a rule set defined by the user. Theprogram will then perform a specific action based on whathas been identified.
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Snort
Introduction
Intruders
Intrusiondetection
Analysis
Anomaly
Signature orheuristic
Host-based
Data sourcesand sensors
Anomaly
Signature orheuristic
Distributed
Network-based
Types ofnetwork sensors
Sensor locations
ID techniques
Logging alerts
Distributed orhybrid
ID datastandards
Honeypots
Example:Snort
Snort