Intrusion Detection Flashcards
Intrusion Detection
intrusion hostile, unwanted tresspass by users or software
insider that perform actions beyond those authorized
Security intrusion -> unauth act of bypassing the sec mechanisms of a system
Intrusion detection -> hw or sw function that gathers and analyzes information from avarious areas within a computer or a network to identify possible sec intrusions
Types of intruders
cybercriminals -> financial reward
activitsts -> social/political causes. low skill level
state-sponsored organizations -> by gov conduct espionage or sabotage (Advanced Persistent Threats)
others -> reputation/peer-group esteem
Skill level
apprentice -> minimal tech skill uses attack toolkits
journeyman -> sufficient tech skills may locate new similar exploits
master -> high tech skill discover new categories and write attack toolkits
examples
defacing web server
guessing/cracking pwds
view sensitive data
running packet sniffers to capture user/pwds
using unattended, logged-in workstations w/o permission
doing social engineering (pose as executive call help desk reset email pwd and learn new pwd
Defense in depth strategy
Encryption of sensitive information
Detailed audit trails
Strong authentication and authorization controls
Active management of OS
Application Security
Behavior of Intruder
- Target Acquisition and Information Gathering: identifies and characterizes the target systems using public available information, network exploration tools to map target resources
- Initial Access: exploiting remote network vulnerability, installation of malware via socialeng or drive-by-download
- Privilege Escalation: via local access vulnerability
- Information Gathering or System Exploit: Access/modify information or resources on the system
- Maintaining Access: backdoor or covert authentication credentials
- Covering tracks: disables or edits audit logs
Intrusion Detection System
Sensors -> collecting data. Network packets, log files, system call traces.
Analyzers -> receives inputs from one/more sensors and determines if intrusion occurred.
UI
Types
Host-based -> single host
Network-based -> network traffic, network packets or devices
Distributed or hybrid -> combines information from a number of sensors
Insights
legitimate and illegitimate behavior overlap. patterns of legitimate use can be established by observing history and validation deviation. Identified by intelligent definition of the class of conditions.
Base-rate fallacy actual # of intrusions is low then false alarm rate will be high.
Requirements:
run continually w/o human supervision
fault tolerant
resist subversion, monitor itself
impose minimal overhead
configured by sec policies
adapt or scale to changes
graceful degradation
dynamic reconfiguration
Analysis approaches
Anomaly detection -> collect data of behavior of legitimate users over some time. (high level of alarm)
distinct times or continuous
statistical -> univariate, multivariate or time-series model
uni: each variable independent random variable
multi :correlation between metrics
time-series :order and time
low computational cost, but difficult selecting suitable metrics
knowledge based -> expert system classifies behavior
classify based on rules, FSM or description language. Robust and flexible but costly to develop
machine-learning -> classification model from the training data
data mining to develop model
requires significant time/computational power
Bayesian, markov models, NN, fuzzy set theory, genetic algs (inheritance, mutation, selection and recombination), clustering and outlier detection group into clusters based on some similarity or distance measure.
Strength:capture interdependencies
Disadvantage: only trained with legitimate behavior
Signature or Heuristic detection -> set of known malicious data patterns or attack rules compared with current behavior ( no 0 day attacks)
Match known patterns against data stored on a system or in transit
difficulty needs large enough signatures to minimize false alarm rate, or retrain for new malware
Rule-based:use of rules to analyze attack tools and scripts collected on the internet.
IDS Classification
Host-based IDS -> for sensitive layers (db, admin system)
it can detect both ext/int intrusions, anomaly based or sign heuristic approach
from: system call traces -> windows (complicated due to DLLs obscuring processes that use specific system calls)
audit -> accounting sw that collects info on user activity, intruders may try to manipulate it
file integrity checksums -> periodically scan crypto checksums of files
registry -> monitor access to registry
anomaly
mostly done in unix systems, based on system call traces, info on process activity to classify as normal/abnormal. Os hooks like BSM audit module.
HMM, ANN, SVM, Extreme learning machines to make classification.
Detect rate of 95-99% false positives less than 5%
windows difficulty due to DLLs but using traces of key DLL functions is similar to analyzing linux system call trace.
tripwire detects changes to files using a baseline but running processes are more difficult to track
signature-based
antiviruses use a db of file signatures or heuristic rules good for known malware but not for 0 day attacks
distributed -> heterogeneous data, integrity and confidentiality of data transmitted, centralized =bottleneck, decentralized=coordination
Network based IDS
examines traffic packet by packet in ~real time to detect intrusions
perimeter, associated with firewall
analyze traffic patterns and traffic content
lost capacity due to cryptographic content
Types of NIDS
inline -> between internet and lan, traffic must go through
NIDS + LAN switch (or Firewall)
block and attack when detected, detection+prevention
wireless -> into Access Point (AP)
passive -> monitors copy of network traffic
more efficient does not do extra handling
no IP address (promiscuous mode)
wireless -> traffic monitor
Wireless IDS (WIDS) - vulnerable to DDoS, Session hijack or AP impersonation
Deployment Strategies
after external firewall
- sees attack from outside that passed the firewall, finds problems with firewall policies, attacks might target web server or ftp,recognizes compromised internal servers
before external firewall (directly to internet)
documents number/types of attacks from internet
but higher burden
after internal servers and database networks
increases chance of spotting attacks
unauth activity by authorized users
can be tuned to specific protocols and attack types
after workstation networks
attacks targeting critical systems/resources
focusing of limited resources
Intrusion Detection Techniques
Statistical packet anomaly detection engine (SPADE) as in the snort system
===signature detection
app layer
Attack patterns like buffer overflows, password guessing and malware transmissions in protocols DHCP, DNS, Finger, FTP, HTTP, IMAP, IRC, NFS, POP, rlogin/rsh, RPC, SIP, SMB, SMTP, SNMP, telnet, TFTP, DB, IM or P2P
transport layer
analyze TCP/UDP -> unusual packet fragmentation, scans for vulnerable ports, TCP-specific attacks SYN floods
network layer
IPv4,6, ICMP IGMP -> spoofed addresses and illegal IP header values
unexpected app services
host running unauth application service
policy violations
inappropriate websites and forbidden app protocols
===anomaly detection
DDos -> significant increase in packet traffic or connection attempts
Scanning -> probe target network or system by sending different kinds of packets, atypical flow patterns (app -> banner grabbing, transport -> TCP/UDP port scanning, network -> ICMP scanning)
worms can be found by hosts that usually don’t communicate or don’t usually use certain ports.
P2P gossip to inform other machines of suspicion in the form of a probability that network is under attack, if threshold is passed alert is sent to central system
Summary -> collected from various sources and summarized
PEP -> policy enforcement point, correlate distributed information
DDI -> distributed detection and inference, alerts generated from gossips
Intrusion Detection Exchange Format
RFC 4766 -> communication protocol
RFC 4765 -> data model
RFC 4767 -> app level protocol
Honeypots
Lure attacker away from critical systems
there is no legitimate use of system, if initiates outbound communication it was compromised
Low or high interaction honeypot
By Location
outside the external firewall -> tracking attemps to connect to unused IP addresses within the scope of the network, does not risk internal network and reduces burden
inside DMZ or inside network
admin must assure other systems in DMZ are secure, because behind firewall might need to lower sec in firewall or lose effectiveness of honeypot
also honeyfiles can entice attackers
