1 advances in network security case study: intrusion detection max lakshtanov comp 529t 7-10
TRANSCRIPT
2
Intrusion Detection
Introduction and Background
Overview of Mobile Agents
Mobile Agents VS. Intruders
Other Intrusion Detection Techniques
Conclusion
Questions
3
Network Security: preventive and reactive
Preventive approach: Prevent intrusions from occurring
User authentication – logins and passwords Firewalls – filter network traffic
Reactive approach: Intrusion Detection System (IDS)
How to detect intrusions How to respond
4
Firewalls
Firewall is a security device that allows limited access out of and into one’s network from the Internet
Piece of hardware connected to a network for protection
Only permits approved traffic in and out of one’s local site
Allows administrator to select applicable services necessary to one’s business and screens out the rest
5
Types of Attacks
Mobile worker
Web site
Hacker
Hacker
Supplier
Branch Office
Mailserver
Manufacturing
Engineering
HR/Finance
Corporate Intranet
Hacker
Internet
6
Why firewalls are not enough?
Not all access to the Internet occurs through the firewalls
Not all threats originate from outside the firewall
Firewalls are subject to attack themselves Little protection against data-driven
attacks (i.e. virus-infected programs or data files, as well as malicious Java applets and ActiveX controls)
7
What is an Intrusion Detection System?
Concept established in 1980 by J. P. Anderson
Abbreviated as IDS, it is a defense system, which detects hostile activities in a network
IDS complements firewalls by allowing a higher level of analysis of traffic on a network, and by monitoring its behavior of the sessions on the servers
Helps computer and network systems prepare for and deal with an attack
8
Basic Intrusion Detection
TargetSystem
IntrusionDetectionSystem
Intrusion Detection System Infrastructure
Monitor
Respond Report
9
Desirable characteristics
Run continually Fault tolerant Resist subversion Minimal overhead Configurable Adaptable Scalable Provide graceful degradation of service Allow dynamic reconfiguration
10
What does an IDS do?
IDS inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack
In a passive system, the IDS detects a potential security breach, logs the information and signals an alert
In a reactive system, the IDS logs off a user or reprograms the firewall to block network traffic from the suspected malicious source
11
First major type of IDS
Host based IDS loaded on each protected asset
make use of system resources disk space, RAM, CPU time
detect host-related activity
analyze operating system, application, and system audit trails
can be self-contained or remotely managed
some attacks cannot be detected at a single location
13
Second major type of IDS
Network based IDS monitor activity on a specific network segment
usually dedicated platforms with two components: Sensor – passively analyzes network traffic
Management system
displays alarm information
configure the sensors
perform rules-based or expert system analysis
high network load scalability problems
problems with encrypted communication
15
Audit Data Example
From Operating System Shell command records
From Network Network connection records
16
What are False Positives?
Occur when the system classifies an action as a possible intrusion when it is a legitimate action
Any alert that was triggered incorrectly alerts about telnet connections that are legitimate
Common Causes Abnormal traffic patterns Too much traffic (High Bandwidth Connections) Incorrectly configured software
Results Tend to clutter up the displays Attacker may use this to cause DoS attacks using auto
responses
17
Analysis Techniques
Misuse Detection predetermined knowledge base high levels of detection accuracy minimal number of false positives
Problems relies heavily on the thorough and correct
construction of this knowledge base variations of known attacks intrusions not in knowledge base traditionally requires human domain experts
18
Analysis Techniques
Anomaly Detection events unlike normal system behavior variety of techniques including
statistical modeling neural networks hidden Markov models
baseline model that represents normal system behavior against which anomalous events can be distinguished
threshold of the range of normal behavior
19
Anomaly Detection
Advantages ability to identify new and previously unseen
attacks automated, do not require expert knowledge of
computer attacks Problems
attacks that resemble normal behavior higher numbers of false positives
all anomalous events assumed to be intrusive false positive if implementation errors
20
Unrealistic Expectations
They are not silver bullets for security They can not compensate for weak identification
and authentication mechanisms They can not conduct investigations of attacks
without human intervention They can not compensate for weakness in network
protocols, applications, systems,…. They can not analyze all of the traffic on a network They can not always deal with problems involving
packet-level attacks
21
Problems of existing monolithic IDS
Central data collection and analysis
Single point of failure
Network traffic
Computational workload
Ad Hoc Networks
Possibility of distributed, coordinated attacks
Lack of common vocabulary or standards
22
Wireless Ad Hoc Networks
Collection of mobile nodes No pre-existing
communication infrastructure Each node can act as router
as well as host Dynamic participation of
each node No centralized authority for
authentication and monitoring
23
Vulnerabilities of ad hoc networks
Wireless communication (open media) Cooperation among nodes is necessary (lack of
centralized author.) Don’t rely on existing infrastructure Have many operational limitations:
Transmission Range and Bandwidth Energy, CPU, and Memory
Autonomous units capable of roaming independently easily captured and compromised without physical
protection very expensive and not scalable if physically
protected
24
Vulnerabilities of ad hoc networks
Usually used in situations where rapid deployment is necessary
Usually deployed in hostile (not physically protected) places
Dynamic topology change (due to mobility) Lack of key concentration points (e.g. switches
and routers) No firewalls or gateways
Difficult to distribute and update signatures (detection database)
25
ID Techniques
Mobile Agents
Haystack Algorithm
Indra
Detection at network layer
Multi-layer detection
26
What are Mobile Agents?
executing programs that can migrate from machine to machine in a heterogeneous network under their own control
correlate all suspicious events occurred in different monitored hosts
may have these characteristics: autonomous goal-driven reactive social adaptive mobile
27
Mobile Agent Characteristics
can be programmed to satisfy one or more goals move independently from one device to another
on a network generally serializable and persistent provide more accurate alarms dynamically increase/reduce the suspicion level
of certain host or login user evade attackers can resurrect themselves if attacked
28
Components
Two Components Agent Agent Platform
The mobile agent contains code and state information needed for carrying out computation tasks on an agent platform
29
Advantages of Mobile Agents
Reducing Network Load - move logic, not data Overcoming Network Latency - agents operate
directly on the host Autonomous Execution - still function when portions
of the IDS get destroyed or separated Platform Independence - inserts an OS independent
layer between the hosts and the IDS using agents Dynamic Adaption - reconfigure at run-time Upgradability - signature database and the detection
algorithms are up-to-date Scalability – reduce computational and network load
30
Problems of Mobile Agents
Security - several security implications that must be considered: the host (and the agent platform) must be
protected against malicious code certificates, digital signatures
agents can be modified/eavesdropped when they move over the network
encrypting agents mobile agents can be attacked by a malicious
agent platform itself difficult to fight when agents need unrestricted
movement around the network
31
Problems of Mobile Agents
Code Size Complex piece of software Agents might get large Transferring agent’s code over the network takes time Only needed once, when hosts store agent code locally
Performance Often written in scripting or interpreted languages to be
easily ported between different platforms. This mode of execution is very slow compared to native
code. As an IDS has to process a large amount of data under very
demanding timing constraints (near real-time), the use of MAs could degrade its performance.
32
IDSs using agents
Autonomous Agents For Intrusion
Detection (AAFID) at Purdue
Local Intrusion Detection System (LIDS)
Mobile Agent Intrusion Detection
Systems (MAIDS)
Intrusion Detection Agent System (IDA)
at IPA, Japan
34
The problem
Monolithic IDS Limited scalability Single point of
failure Difficult
configurability Prone to insertion
and evasion attacks
IDS
Host
Host
Host
Host
Host
Host
Host
35
AAFID architecture
Distributed data collection and analysis
Autonomous agents Independent
entities Hierarchical
structure
38
What is an Agent?
Independently-running entity Usually a separate process or thread
Can keep state May perform arbitrary actions
Can be very simple or very complex May exchange data with other entities
39
What is a Transceiver?
Communications backbone for a host Handles all the agents in a host May do processing on data received from
agents Interacts with a monitor
40
What is a Monitor?
Highest level entity Main control and data processing entity Handles one or more transceivers Can control other monitors Can be connected hierarchically to other
monitors May interact with a user interface
41
What is a Filter?
Platform and OS specific entity
Extract necessary data providing hardware
and OS abstraction layer
Subscription-based mechanism
Allows for increased portability of agents
42
AAFID2 prototype
Road-test the architecture Focus on usability and flexibility Run-time distribution of code Little focus on performance Provides infrastructure for development Uses pipes and TCP for communication Implemented in Perl5
Easy portability, easy to install and run it
43
Development support
APIs for development of Agents and Filters
Code generation tool for agents already exists
The APIs implement generic behavior, so implementers only need to add specific functionality.
44
Graphical User Interface
Very simple support for starting and controlling entities
Implemented in Perl/Tk
Current status:Prototype distributed to the public ftp://coast.cs.purdue.edu/pub/coast/AAFID/ http://www.cs.purdue.edu/coast/projects/
autonomous-agents.html
45
Performance impact
Measurements on 22 machines in the COAST lab over 14 hours. Sparc LX, Sparc 5, Sparc 10, Ultra 1, Ultra 2
On average:
%CPU %MEMGUI ~0.5% ~8%Monitor ~2% ~6%Transceiver ~0.1% ~4%Agents(combined)
~0.26% ~4.5%
46
Detection
ARP cache poisoning Writable user and configuration files Suspicious sequences of commands Accesses to network services Health of system services Repeated login failures Configuration problems in ftp and www
servers
47
Benefits of AAFID
Graceful degradation of service Scalability Easier to modify configuration Information can be collected at the end
host Can combine host-based and network-
based approaches to intrusion detection
48
Drawbacks of AAFID
Monitors may still be single points of failure Solution: Hierarchical structure, redundancy
Ensure consistent information among redundant monitors
Detection of intrusions at monitor level delayed until all information reaches the monitor
Difficult to keep global state Data reduction is not implemented correctly
Still creates a lot of network traffic
More difficult to do failure tolerance
50
ID in ad hoc wireless network
Mobile Agents
Mobile Agents
Mobile Agents
Mobile Agents
Mobile Agents
Mobile AgentsLIDS
LIDS
LIDS
LIDSLIDS
51
Features of LIDS
Reliable Flexible Behavior based Blackboard-based architecture Controlled by autonomous agents Learning and adapting capability Low maintenance cost Uses building blocks of computational
intelligence as intrusion analyzer Low rate of false positives
53
Haystack Algorithm
Host-based system A statistical anomaly detection algorithm Requires a designated node to act as a
central administrator Uses audit trail generated from host Analyzes users’ session vectors Weight-scoring with threshold vectors Able to detect several types of intrusions
54
Indra - Intrusion Detection and Rapid Action
A Peer-to-peer Approach Makes use of cross-monitoring or
“neighborhood watch” Information on attempted attacks
gathered by intended victims Victim notify adjacent hosts on attack or
peer nodes detect attack and sound alarm Uses daemons Web-of-trust model for certification of
nodes
55
Detection at network layer
Watchdog Verify that next node in path forwards packet Listening in promiscuous mode
Control Messages Adding two control messages to DSR
protocol Neighborhood Watch
Observing route protocol behavior Listening to transmission of next node Alarm messages
56
Multi-layer IDS (mIDS)
Detection on one layer can be initiated or aided by evidence from other layers.
Aggregation of evidence allows a more informed decision
Improved performance – higher true positive and lower false positive rates
57
Conclusion
Mobile Agent Benefits Run continually Fault tolerant Resist subversion Minimal overhead Configurable Adaptable Scalable Provide graceful degradation of service Allow dynamic reconfiguration