lecture8 ids

8/2/2019 Lecture8 IDS

1/40

H thng pht hin xmnhp(IDS)

Ng Vn Cng


2/40

IDS(Intrusion detect system)

Pht hin ra cc cuc tn cng v thm dmy tnh Ngn chn Pht hin phng cc cuc tn cng nh gi thit hi

Instrution detection: quy trnh xc nhmt s xm nhp c th, ang xuthin, hay xut hin


3/40

Cc thut ng

Pht hin xm nhp(Intrusion detection):Pht hin ra cc truy cp tri php vomy tnh

Pht hin s kin khng bnh

thng(Anomaly detection)


4/40

IDS lm vic nh th no?

Pht hin ra xm nhp Trong qu kh

c tp tin log sinh ra bi cc h thng bo mt(firewall)

Ngy nay

Quy trnh xem xt cc tp tin log, theo di s hot ng cc

ti nguyn c lm bi IDS s s dng CPU, I/O a, b nh v cc thao tc ngi

dng, s ln ng nhp h thng

IDS

Duy tr mt c s d liu cc tp tin k hiu v cc c trngca cc cuc tn cng

Mi cuc tn cng u c: c tnh, mu v hnh vi->k hiu

Pht hin ra cuc tn cng hay xm nhp bng cch so khpcc du hiu ca cuc tn cng vi cc tp tin du hiu trong

csdl


5/40

(tt)

Li False-positive pht sinh khi m IDSxem mt hnh vi bnh thng trn mngnh l mt s tn cng ca hacker

Li False-negative xut hin khi IDS b

qua mt cuc xm nhp vo h thng vxem xt n nh l hnh ng bnh thngtrong mng


6/40

IDS vs Firewall

Thng c s nhm ln gia chc nngca IDS v FirewallFirewall hot ng bng cch ngn chn

mi th sau ngi dng s lp trnh

ch php mt s mc no c i quaFirewall cho php ngi dng ni b c th

truy cp ra bn ngoi nhng ngn chn

ngi dng bn ngoi truy cp vo hthng mng ni bFirewall khng phi l mt h thng ng

c th phn on mt cuc tn cng

ang c thc hin


7/40

IDS vs Firewall(tt)

IDS l h thng ng hn, n c kh nng pht hinra cc cuc tn cng vo mng

Xem xt v d: Mt nhn vin ca cng ty nhn c email ca mt nhn vin

khc ni rng anh ta tm c mt ti liu b mt t lu, nhn

vin m email m nhp chut vo tp tin thc thi nh km, tiliu thc thi c mt Trojan nh km vi n, Trojan s m mtkt ni n my tnh ca hacker, lc ny firewall s khng ngnchn hacker thc hin cuc tn cng bng cng chung 80 Vfirewall ch cu hnh ngn chn cc kt ni ra bn ngoi ti

mt s port, n xem cc kt ni HTTP ti webserver ch l mtkt ni khc

Nu h thng IDS c ci t th n c th a ra cnhbo nh l hnh ng khng thng xuyn trong mng


8/40

Cc loi IDS

pht hin c cc cuc xm nhp IDSthng da trn 2 k thut sauAnomaly-Detection Technique Misuse-Dectection Technique


9/40

Anomaly-Detection Technique

Da trn gi thuyt l tt c cc hnh ng khngging vi mt tp cc mu hnh vi th l cc hnhng bt thng

IDS nhn bit tiu s cc hnh ng bnh thng trnmng nu bt k hnh vi no khng ging tiu s ny

thi l mt hnh vi khng bnh thng v a ra mtcnh bo To mt vch ranh gii cho cc hnh vi bnh thng,

thng c sinh ra da thng k ghi nhn t hnh vnhp/xut, s dng CPU, b nh, hot ng ca ngidng.


10/40

Misuse-Detection Technique

Xem cc cuc tn cng nh cc mu v du hiu Duy tr mt c s d liu cc du hiu ca cc cuc

tn cng Mt cnh bo pht sinh khi mt t tn cng no

ging vi mu trong csdl. Hot ng ging nh h thng antivirus Khng pht sinh li false-positive nhng khng pht

hin c cc kiu tn cng cha c pht hin trc


11/40

Cc kiu IDS khc nhau

IDS mng(Network-based intrusion-detection systems)IDS Host(Host-based intrusion-detection

systems)IDS lai(Hybrid intrusion-detection

systems)


12/40

Mt s thut ng dng trong IDS

Mn hnh dng lnh(Command console) trung tm iu khin ca IDS

gm cc cng c thit lp cc chnh sch

B cm bin(Sensor) Tm kim gi tin

Alert Notification Cnh bo v mt cuc tn cng(hin thng bo ln mn hnh,

gi mail)

Response Subsystem Khi pht hin tn cng c cc hnh ng phn hi li

Database H thng lu tr tt c cc hot ng ghi nhn t IDS


13/40

IDS mng

Bao gm cc b cm bin c trin khaitrn ton b mng theo di v phntch cc gi tin i qua mng sau chuynkt qu v cho mn hnh dng lnh

Traditional Sensor Architecture Distributed network-node architecture

Traditional Sensor

B cm bin gn vo mng v bt cc gi tinca mng


14/40

Traditional sensor architecture

Cc bc mt gi tin i qua IDS mng1. Khi my tnh mun trao i d liu vi my tnh khc th qu

trnh trao i d liu bt u

2. Cc gi tin s c lng nghe trn mng thng qua cc bcm bin trn mng

3. B phn pht hin xm nhp s so snh cc gi tin vi ccmu nh ngha trc, nu ging nhau th mt cnh bo sc a ra v chuyn n mn hnh dng lnh

4. Thng qua mn hnh dng lnh b phn bo mt s cnhbo thng qua cc phng thc khc nhau: email, SNMP.

5. Mt cu tr li s c pht sinh mt cch t ng hoc bib phn bo mt

6. Mt mu s c lu tr sau ny c th xem li v nhgi

7. To ra bo co tm tt cc hnh ng ca tin tc


15/40

IDS mng


16/40

Distributed Network-Node Architecture

B cm bin gn vo mi my tnh trnmngMi b cm bin ch quan tm n cc gi

tin n my ca mnhB cm bin sau s giao tip vi mn

hnh dng lnh a ra cc cnh bo


17/40

(tt)

Cc bc gi tin trong gii php th 21. Khi mt my tinh mun giao tip vi my tnh khc, gitin s c trao i

2. Gi tin sau s b lng nghe trn mng bng cc bcm bin gn trn my tnh ch

3. B phn pht hin xm nhp s so snh cc gi tin nyvi cc mu nh ngha trc, nu tng ng th mtcnh bo s c a ra

4. Thng qua mnh hnh dng lnh, b phn bo mt se

thng bo cho ngi dng5. Mt cu tr li s c pht sinh t ng bi h thng

tr li

6. Lu tr cnh bo(mu) xem li v nh gi sau ny

7. To ra bo co tng kt c tnh ca hot ng


18/40

(tt)


19/40

Cch thc hot ng IDS mng

Tip-off Pht hin ra xm nhp vo mng ti thi imm n c thc hin

Surveillance Quan st cc hnh vi ca mt tp cc thnh

phn trn mng


20/40

Li ch t IDS mng

Cn tr(Deterrence)Pht hin(Detection)C ch thng bo v tr li t ng

Cu hnh li firewall/router Hy b kt ni


21/40

IDS Host

IDS Host dng cc thng tin ca my tnhch(host)D liu ngun Cc s kin h thng(System event log) Cc s kin ng dng(Application Log)

Hiu qu pht hin cc xm nhp bntrong mng


22/40

Tn cng c pht hin bi IDS host

Lm dng c quyn(misuse of privilegedrights): xut hin khi ngi dng c cpquyn root, admin v dng quyn ny vomc ch khng hp php

S dng sai c quyn cao:Qun tr hthng thng cp c quyn cao chongi dng h c th ci t cc ngdng c bit


23/40

Kin trc IDS host

C hai kin trc cho IDS host Target Agent L mt chng trnh nh chy trn my ch.

agent trn my ch cho php h thng ch thc

hin cc hat ng c c quyn cc b Chy nh tin trnh nn trong Unix v nh dch v

trong window Chy mt hoc nhiu agent trn h thng ch

Centralized Host-Based Architecture


24/40

Centralized Host-Based Architecture


25/40

Cch thc hot ng

1. Khi mt hnh ng c thc hin trong h

thng(file ang c truy cp hay l mt chng trnhang chy) th mt s kin c to ra 2. Agent ca h thng ch s gi tp ti trung tm

iu khin cch mt khong thi gian v trn ngtruyn bo mt

3. B my pht hin s so snh mu hnh vi ca tptin vi nhng hnh vi c nh ngha trc 5. Nu nh hnh vi m trng vi cc mu hnh vi

nh ngha trc, mt cnh bo s c sinh ra vchuyn cho cc h thng con a ra cc thng bo,tr li v lu tr

6. Vn phng bo mt s a ra thng bo thng wacc phng tin truyn thng(giy t, email...) 7. a ra mt cu tr li 8. Cnh bo c lu trong csdl 10. Report s c pht sinh, tng kt cnh bo v

cc s kin


26/40

Thun li ca IDS host

Pht hin ra lm dng ti nguynCn tr, ngn chn s xm phmnh gi mc thit hiNgn chn xm hi t bn trong


27/40

Cc nh gia v IDS host

Hiu nng(Performance):L c ch phntn, x l d liu bt ngun t cc host.Do kin trc ca IDS host m hiu nngca host c th b vi phm

window NT workstation:1MB, window NTserver:8MB, Unix 20MB, xem xt mtmng gm 10 windowNT server, 5 Unixserver, 200 window NT workstation, 50unix workstation. tng tan b d liupht sinh ln n 800 MB mt ngy


28/40

(tt)

Trin khai v bo tr Kh v l h thng phn tn cn c c ch cp nht t xa

D b tn thng

Mc ch ca vic ci t IDS s b tht bi nu nhhacker c th xm nhp vo h thng ch v ttcc agent.

IDS thng khng hiu qu trong ln xm nhp utin ca hacker, ch hiu qu pht hin cc hnh vi c nh ngha trc.

Thao tc vi cc bn ghi ca Agent hacker c th xm nhp vo cc agent v thay i

thng tin bn trong.


29/40

So snh IDS mng v IDS host

MnhYunh gi

thit hi

thi gian thc i vixm nhp bn trong

Thi gian thc ivi cc xm nhpbn ngoi

Tr li

Pht hin yu ccxm nhp bn ngoi

Pht hin yu ccxm nhp bn trong

Pht hin tt xmnhp t bn trongPht hin tt /vixm nhp t bnngoi

Pht hin

Ngn cn mnh ivi xm nhp bntrong

Ngn cn yu i vixm nhp bn trong

Ngn cn

IDS HostIDS MngThun li


30/40

Honeypot: Cng c b sung cho IDS

Cng c khc dng pht hin ra cc cuc xmnhp vo h thng

Hot ng da trn nguyn tc la diMc ch nhm la tin tc bng cch gi lp mt

my tnh c th b xm nhp trn mng.Honeypot dng bi IDS pht hin ra cc cch

khc nhau lm tn thng h thng Khi tin tc tn cng th cc hot ng ca n s ghi trong log file.

IDS da trn log file ny pht hin cc kiu tn cng tng

t.


31/40

Cc kiu honeypot

Production honeypot H tr pht hin xm nhp m h thng IDSkhng pht hin c.

Research honeypot Dng cho mc ch nghin cu Trin khai phn tch cc hot ng tn

cng ca tin tc


32/40

S dng honeypot

Port monitor L chng trnh gi dng to ra cc by cho tin tcbng cch cho php anh ta thit lp mt kt ni n.

Deception sytem

Gi lp mi trng cho tin tc c th tng tc viMuti-protocol deception system

H thng cung cp c ch gi lp cc h thng khc,honeypot chy trn window NT c th gi lp mitrng ca h iu hnh Unix

Full system: IDS lm vic vi honeypot


33/40

Snort

C bn Rule header Alert tcp any any -> 192.112.12.0/24 111

Rule Option: (Content:foobar;msg:example)


34/40

L thuyt

K hiu(signatures) m bo cnh bo chc a ra khi c tn cng thc s.Vit ra cc k hiu rt l dMulti pattern matching: Cho php so snh

nhiu mu cng mt thi im


35/40

Thc t

C nhiu l do khc nhau c th dn ticnh bo saiVit cc k hiu tt -> rt khKhng ch c Snort Hu ht cc sn phm khc khng tt hn

Snort v mt vi ci th yu hn.


36/40

Content

T kha Content tm mt t kha trong phn d liuVn Tham s ca n c th l d liu ASCII hay

binary


37/40

Depth, Offset

T kha Depth cho php ngi vit lutch ra bao xa trong gi tin m snort tmcho mt mu(pattern) no .

T kha offset cho php ngi vit lut ch

ra ni bt u tm mu trong gi tin Gim thi gian tm kim


38/40

Ty chn

Bn cnh t kha content, c mt s ty chnkhc trong phn u ca gi tin c th c dng lc li cc tin hiu

Tuy nhin nhng ty chn ny ch c kim trasau khi kim tra trong phn ni dung

Mt vi ty chn dsize: kim tra kch thc phn d liu(payload size) Flags: kim tra c s hin din ca mt s TCP bit

Flow: p dng lut cho nhng lu thng c kt ni


39/40

Cc lut

Alert tcp $out any -> $in any(msg:SCAN cybercop os PA12 attempt;content:AAAAAAAAAAAAAAAA;depth:16)

alert icmp any any -> any any (msg: "Pingwith TTL=100;

ttl: 100)Rt nhiu lut ang tn ti


40/40

www.themegallery.com

lecture8 ids

Documents