detection intrusion, malware, and fraud. 2 intrusion detection systems development of idss is to...
TRANSCRIPT
Detection Intrusion, Malware, and Fraud
2
Intrusion Detection Systems
Development of IDSs is to address increasing numbers of network attacks
An IDS looks for anomalies that differ from an established baseline
IDSs categorized as Signature-based Anomaly-based
3
What is IDS?
The ideal Intrusion Detection System will notify the system/network manager of a successful attack in progress: With 100% accuracy Promptly (in under a minute) With complete diagnosis of the attack With recommendations on how to block it
…Too bad it doesn’t exist!!
4
Objectives: 100% Accuracy and 0% False Positives
A False Positive is when a system raises an incorrect alert “The boy who cried ‘wolf!’” syndrome
0% false positives is the goal It’s easy to achieve this: simply detect nothing
0% false negatives is another goal: don’t let an attack pass undetected
5
Objectives: Prompt Notification
To be maximally accurate the system may need to “sit on” information for a while until all the details come in e.g.: Slow-scan attacks may not be detected for
hours This has important implications for how “real-time”
IDS can be! IDS should notify user as to detection lag
6
Objectives: Prompt Notification (cont)
Notification channel must be protected What if attacker is able to block notification
mechanism? An IDS that uses E-mail to notify you is going to
have problems notifying you that your E-mail server is under a denial of service attack!
7
Objectives: Diagnosis
Ideally, an IDS will categorize/identify the attack Few network managers have the time to know
intimately how many network attacks are performed
8
Objectives: Recommendation
The ultimate IDS would not only identify an attack, it would: Assess the target’s vulnerability If the target is vulnerable it would notify the
administrator If the vulnerability has a known “fix” it would
include directions for applying the fix This requires huge, detailed knowledge
9
IDS: Pros
A reasonably effective IDS can identify Internal hacking External hacking attempts
May act as a backstop if a firewall or other security measures fail
10
IDS: Cons
IDS’ don’t typically act to prevent or block attacks They don’t replace firewalls, routers, etc.
If the IDS detects trouble on your interior network what are you going to do? By definition it is already too late
11
Paradigms for Deploying IDS
Attack Detection Intrusion Detection
12
InternalNetworkInternet
Routerw/somescreening
Firewall
DMZNetwork
WWWServer
Desktop
Attack Detection
IDS detects (and counts) attacks againstthe Web Server and firewall
IDS
13
Attack Detection
Placing an IDS outside of the security perimeter records attack level Presumably if the perimeter is well designed the
attacks should not affect it! Still useful information for management (“we have
been attacked 3,201 times this month…) Prediction: The AD will generate a lot of noise and
be ignored quickly
14
InternalNetworkInternet
Routerw/somescreening
Firewall
DMZNetwork
WWWServer
Desktop
Intrusion Detection
IDS detects hacking activity WITHINthe protected network, incoming or outgoing IDS
15
Intrusion Detection
Placing an IDS within the perimeter will detect instances of clearly improper behavior Hacks via backdoors Hacks from staff against other sites Hacks that got through the firewall
When the IDS alarm goes off, it’s a red alert
16
Attack vs Intrusion Detection
Ideally do both Realistically, do ID first then AD The real question here is one of staffing costs
to deal with alerts generated by AD systems
17
IDS Data Source Paradigms
Host Based Network Based
18
Host Based IDS
Collect data usually from within the operating system C2 audit logs System logs Application logs
Data collected in very compact form But application / system specific
19
Host Based: Pro
Quality of information is very high Software can “tune” what information it needs Kernel logs “know” who user is
Density of information is very high Often logs contain pre-processed information
20
Host Based: Con
Capture is often highly system specific Usually only 1, 2 or 3 platforms are supported
(“you can detect intrusions on any platform you like as long as it’s Solaris or NT!”)
Performance is a wild-card To unload computation from host logs are usually
sent to an external processor system
21
Network Based IDS
Collect data from the network or a hub / switch Reassemble packets Look at headers
Try to determine what is happening from the contents of the network traffic User identities, etc inferred from actions
22
Network Based: Pro
No performance impact No management impact on platforms Works across O/S’ Can derive information that host based logs
might not provide (packet fragmenting, port scanning, etc.)
23
Network Based: Con
May lose packets on flooded networks May mis-reassemble packets May not understand O/S specific application
protocols (e.g.: SMB) May not understand obsolete network
protocols (e.g.: anything non-IP) Does not handle encrypted data
24
IDS Paradigms
Anomaly Detection - the AI approach Misuse Detection - simple and easy Hybrids - a bit of this and that
25
Anomaly Detection
Goals: Analyse the network or system and infer what is
normal Apply statistical or heuristic measures to
subsequent events and determine if they match the model/statistic of “normal”
If events are outside of a probability window of “normal” generate an alert (tuneable control of false positives)
26
Anomaly Detection (cont)
Typical anomaly detection approaches: Neural networks - probability-based pattern
recognition Statistical analysis - modelling behavior of users
and looking for deviations from the norm
27
Anomaly Detection: Pro
If it works it could conceivably catch any possible attack
If it works it could conceivably catch attacks that we haven’t seen before Or close variants to previously-known attacks
Best of all it won’t require constantly keeping up on hacking technique
28
Anomaly Detection: Con
Current implementations don’t work very well Too many false positives/negatives
Cannot categorize attacks very well “Something looks abnormal” Requires expertise to figure out what triggered the
alert Ex: Neural nets can’t say why they trigger
29
Anomaly Detection: Examples
Most of the research is in anomaly detection Because it’s a harder problem Because it’s a more interesting problem
There are many examples, these are just a few Most are at the proof of concept stage
30
Misuse Detection
Goals: Know what constitutes an attack Detect it
31
Misuse Detection (cont)
Typical misuse detection approaches: “Network grep” - look for strings in network
connections which might indicate an attack in progress
32
Misuse Detection: Pro
Easy to implement Easy to deploy Easy to update Easy to understand Low false positives Fast
33
Misuse Detection: Con
Cannot detect something previously unknown Constantly needs to be updated with new
rules Easier to fool
34
Hybrid IDS
The current crop of commercial IDS are mostly hybrids Misuse detection (signatures or simple patterns) Expert logic (network-based inference of common
attacks) Statistical anomaly detection (values that are out
of bounds)
35
Hybrid IDS (cont)
At present, the hybrids’ main strength appears to be the misuse detection capability Statistical anomaly detection is useful more as
backfill information in the case of something going wrong
Too many false positives - many sites turn anomaly detection off
36
Intrusion Detection Systems (Cont.)
Common IDS solutions available today: Cisco Secure IDS Enterasys™ Dragon®
Elm 3.0 GFI LANguard S.E.L.M Intrust Event Admin Snort ®
Tripwire eTrust ®
37
Network Forensics Abuse
With an IDS system anyone can: Spy on users’ e-mail Capture passwords Know what Web pages were viewed Covertly see the contents of a customer’s
shopping cart
38
Examining Data
Verifying the integrity of the data There are guidelines that can help ensure the
integrity of network data: Logs Time/date stamps IDS alerts