Computer Network ForensicsLecture 6 Intrusion Detection Joe CleetusConcurrent Engineering Research Center,Lane Dept of Computer Science and Engineering, WVU

Intrusion DetectionMethodsToolsPractices

Intrusion DetectionNetwork Intrusion Detection is the process of searching network traffic for intrusions and signs of intrusions

Firewalls fail to prevent IntrusionFirewalls are designed to implement an access control policy E.g., a firewall policy might be: HTTP traffic to the Web server is good, while FTP traffic is badOnce a firewall has accepted a connection, it will not check that connection for signs of intrusion

Firewalls fail to prevent IntrusionNetwork Intrusion Detection Systems (NIDS) look for intrusions on your network and report whenever an intrusion is foundExample: Snort at http://www.snort.org - an open source product

Snort OverviewMany command line options to play with3 modes of use: sniffer, packet logger, and network intrusion detection systemSniffer: snort-v (show packets) or snort-vd (show packets and headers) Packet Logger: snort-dev-l./logNetwork Intrusion Detection (NIDS) mode:snort-dev-l./log-csnort.conf (snort.conf has the rules database)

Snort - Writing Ruleshttp://www.snort.org/docs/lisapaper.txt - a simple introhttp://www.snort.org/docs/writing_rules/

Preventing IntrusionMethod 1: signature-based detection, which compares traffic to signatures of well-known intrusion techniques (like anti-virus software)Method 2: protocol anomaly detection, which compares the actual traffic on the network to the specifications of each protocol (such as HTTP and FTP) and reports anomalies

Detecting IntrusionA "root" login can be detected only with a signature, DNS cache poisoning can be detected only with protocol anomaly detectionHence, implement as many intrusion detection methods as possible

ErrorsA false-positive happens when an NIDS reports an intrusion in valid traffic Quality of the Signature Database has to do with thisSnort, for example, would generate many false-positives, as opposed to some commercial products

Preventing IntrusionTo prevent attacks, you need an IDP (intrusion detection and prevention) IDP is deployed in the line of packets and blocks intrusions as they are detected An IDP product can be found at http://www.onesecure.com

OneSecure Intrusion Detection and Prevention (IDP) SystemAccurate Attack DetectionMultiple Methods to detect more attacksStateful Signature to reduce false positivesPreventionDrop packets as they are detected ManagementEasy rule-based approach

Multiple Methods of Attack DetectionStateful Signature DetectionIDP tracks the state of a connection and looks for attack patterns in only the relevant portions of the traffic Protocol Anomaly DetectionProtocol anomaly detection can be used to identify the attacks that deviate from the protocols that "normal" traffic follows

Multiple Methods of Attack DetectionBackdoor DetectionIDP identifies the unique characteristics of the interactive traffic and sends an alarm for unexpected activity Traffic Anomaly DetectionTraffic anomaly detection can identify reconnaissance activity by comparing incoming traffic to "normal" traffic patterns, and identifying deviations

Multiple Methods of Attack DetectionNetwork HoneypotNetwork Honeypot sends fake information to people scanning the network to try an entice attackers to access the non-existent services. It identifies the attacker when they attempt to connect to the service

PreventionDrop malicious packets from the network during the detection process to ensure the attack never reaches its target "victim (active response)Avoiding TCP reset or Firewall signal ensures no time is lost and attack does not penetrate - so no investigation is needed (passive response)Avoids DoS attacks