host based ids (hids) 1. o bjectives able to explain the role and different categories of the host...
Post on 19-Dec-2015
215 views
TRANSCRIPT
HOST BASED IDS (HIDS)
1
OBJECTIVES
Able to explain the role and different categories of the Host Based IDS.
To understand and able to explain the log file monitors.
2
HIDS ROLES
1) HIDS software – focuses on detecting attacks against a particular host. E.g: workstation or server - run from the host itself.
2) Malicious activity on a host can exhibit itself in multiple ways monitor user-specific activity on the systemThe software can observe the user's local activity because it
has access to such host-specific information as process and service listings, local log files, and system calls.
optimized for monitoring individual hosts.
Network IDS sensors, on the other hand, have a hard time associating packets to specific users, especially when they need to determine whether commands in the traffic stream violate a specific user's access privileges.
3
HIDS ROLES
3) Monitor data exchanges of encrypted network streams by tapping in at the connection's endpointRunning on the VPN's endpoint -
allows host-based IDS to examine packets in their clear-text form,
before the host encrypts outbound packets, or after it decrypts inbound packets
NIDS sensor – cannot examine the payload of an IPSec packet or the contents of a packet that is part of an SSL session.
The need to perform content analysis of network traffic at the hosts continues to increase as companies continue to deploy VPN solutions.
4
HIDS ROLES
4) Correlating attacks that are picked up by network sensors Scenario 1:
If a network IDS sensor detected an attack that was directed at one of your hosts.
How would you know whether the attack was successful? Solution:
host's IDS software can help to determine the effect of the attack on the targeted system
Of course, if the host is compromised, its logs might be altered or deleted.
But if you are automatically relaying all host IDS data to a central, dedicated centralized log server – to pickup all the IDS logs – you can use that data instead of the original IDS logs if they are unavailable or untrusted.
From an incident-handling perspective – HIDS logs are important in reconstructing an attack or determining the severity of an incident.
5
IDS COMPONENTS
6
Traffic collector collects
activities/events for the IDS to
examine. On a host-based IDS, this could
be log files, audit logs, or traffic
coming to or leaving a specific
system.
On a network-based IDS, this is
typically a mechanism for
copying traffic off the network
link—basically functioning as a
sniffer.
HOST-BASED IDS
7
A host-based IDS (HIDS) operates in: Real time, looking for
activity as it occurs. Batch mode, looking
for activity on a periodic basis.
HOST-BASED IDS
8
They may be self-contained, but many of the newer commercial products have been designed to report to and be managed by a central system.
Host-based systems use local system resources to operate.
HOST-BASED IDS
Host-based intrusion detection systems focus on the log files or audit trails from the local operating system. The IDS looks for hostile actions or misuse activities, such as:
Logins at odd hours Login authentication failures Adding new user accounts Modification or access of critical system files Modification or removal of binary files (executables) Starting or stopping processes Privilege escalation Using certain programs 9
IDS LOGICAL LAYOUT
10
Host-based intrusion detection systems operate similarly. An insight into how host-
based intrusion detection systems operate can be obtained by considering the function and activity of each component.
IDS COLLECTOR
The traffic collector pulls in information for the other components, such as the analysis engine. It pulls already generated data from the local system – error
messages, log files, and system files. It is responsible for reading files, selecting items of interest,
and forwarding them to the analysis engine. On some host-based systems, it also examines specific
attributes of critical files such as file size, date modified, or checksum.
11
IDS ANALYSIS ENGINE
It is a sophisticated decision and pattern-matching mechanism.
It looks at data given to it by the traffic collector and matches it to known patterns of activity stored in the signature database. If the activity matches a known pattern, the analysis
engine reacts with an alert or alarm.
12
IDS ANALYSIS ENGINE
An analysis engine is capable of remembering how the current activity compares to historic or future traffic, so that it may match more complicated, multi-step malicious activity patterns.An analysis engine must also be capable of examining
traffic patterns as quickly as possible. The longer it takes to match a malicious pattern, the less time
the IDS or human operator has to react to malicious traffic.
13
IDS SIGNATURE DATABASE
The signature database is a collection of predefined activity patterns that have already been identified and categorized as activity patterns typical of suspicious or malicious activity. When the analysis engine has a traffic pattern to
examine, it compares it to the signatures in the database.
14
IDS USER INTERFACE
It is the visible component of the IDS—the part that humans interact with. Independent of the type and complexity, the
interface allows users to interact with the system by: Changing parametersReceiving alarmsTuning signatures and response patterns
15
HOST-BASED ADVANTAGES
The advantages of host-based IDSs include:Operating system-specific.
More detailed signatures.Reduced false positive rates.Examination of data after decryption.Application specific.Alarm may impact determination of a specific system.
16
HOST-BASED DISADVANTAGES
Before deployment, weigh the disadvantages of this technology:An IDS has a process on every system watched. An IDS has a high cost of ownership. An IDS uses local system resources. An IDS has a focused view and cannot relate to
activity around it. A locally logged IDS may be compromised or
disabled.
17
ACTIVE VS. PASSIVE IDS
Intrusion detection systems can be distinguished by how they examine the activity around them and whether or not they interact with that activity.
18
ACTIVE VS. PASSIVE IDS
19
A passive system watches the activity, analyzes it, and generates alarms. It does not interact with
the activity itself in any way.
It does not modify the defensive posture of the system to react to the traffic.
An active IDS contains the same components and capabilities as the passive IDS.However, the active IDS
reacts to the activity it is analyzing.
Passive HIDS Active HIDS
IDS COMPONENTS
20
Analysis engine: Examines the
collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database
IDS COMPONENTS
21
User interface and reporting: Is the component that
interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.
TUNING AN IDS
Most IDSs can be “tuned” to fit a particular environment. Signatures may be turned off – the IDS will not look
for certain types of traffic. Alarm levels can be adjusted depending upon certain
types of traffic. Some IDS also allow users to “exclude” certain
patterns of activity from specific hosts.
22
TYPES OF HIDS
There are several types of host-based IDS software products.
Log analyzers File integrity checkers
The host's file system: AIDE, OSIRIS, Samhain, Tripwire The host's network connections: BlackICE, PortSentry The host's log files: LANguard, Logcheck, OsHids, Swatch
23
EXAMPLE: LANGUARD
24
TYPES OF HIDS
File integrity checkers alert if particular files are altered, which might
indicate a successful attack. Log analyzers :
monitor OS & application logslooking for entries that might be related to
attacks or security violations.
25
FILE INTEGRITY CHECKER
Detect unauthorized changes to the host's file system. Operate by taking a "snapshot" of the file system in a
trusted state, when all the files are considered to be valid.
During subsequent scans, these tools compare the system's files to the initial baseline and report noteworthy deviations.
26
FILE INTEGRITY CHECKER
To tune the integrity checking mechanism:So that it only monitors relevant aspects of filescan specify what file attributes are allowed to change, or
what files can be ignored altogether. For example, applications frequently create temporary files in
C:\WINNT\Temp or /tmp directories; alerting the administrator every time a new file appears or
disappears from these directories would generate too many false positives.
On the other hand, contents of core system libraries rarely change, and it is normal for the host's log files to grow in size while retaining initial ownership and access permissions.
27
FILE INTEGRITY CHECKER - ALTERNATIVE WAYS
Increasing the difficulty of tampering with the database of baseline signatures can be accomplished in several ways:
1. Obfuscate /conceal the contents of the baseline database by using a proprietary binary format instead of plain text when saving the database to disk. Although this mechanism makes it more difficult to tamper with
the database, it hardly prevents the attacker from discovering the obfuscation scheme or from using the integrity checker to update the baseline.
28
FILE INTEGRITY CHECKER - ALTERNATIVE WAYS
2. Place the baseline database onto read-only media, such as a write-protected floppy disk or a CD-ROM. This method requires that the disk or the CD be accessible to the
integrity checker when it performs the verification scan. This method is reliable and is most useful for hosts whose baseline
does not need to be frequently updated. Keep in mind, though, that even if the attacker is unable to modify
the baseline database, he might be able to change the integrity checker or modify its configuration to use an unauthorized baseline.
Placing the checker onto the read-only media helps defend against some attacks of this nature, but having access to the host might allow the attacker to modify the system's kernel or file system drivers to conceal his presence on the host anyway.
29
FILE INTEGRITY CHECKER - ALTERNATIVE WAYS
3. Digitally sign the baseline database. In this scenario, updating the program's baseline typically requires
the administrator to present the appropriate cryptographic keys and supply the necessary passwords.
This technique achieves a good balance between the first two approaches.
It is frequently used in environments that need to be able to remotely update the baseline periodically, such as when installing system patches or otherwise updating the host's configuration.
30
FILE INTEGRITY CHECKER: TRIPWIRE
Best-known file integrity checking utility. It is a benchmark against which other tools in this
category are measured. The original version of Tripwire was developed in 1992
at Purdue University in West Lafayette, Indiana Free open source (academic version) -
http://www.tripwire.org. It is included with many Linux distributions, including
Red Hat Linux. Despite its age, this version of Tripwire is still effective at
detecting unauthorized changes to the host's files, although it is no longer being actively maintained.
31
FILE INTEGRITY CHECKER: TRIPWIRE Full commercial versions of Tripwire for servers and
network devices are not free. (http://www.tripwire.com/products/servers/)
Runs on both Windows and UNIX hosts. The Windows version of the tool can monitor the system's
Registry in addition to the file system. The commercial software Tripwire for Network Devices can
monitor the integrity of configuration files on routers and switches.
Multiple hosts and devices monitored by the commercial versions of Tripwire can be controlled centrally through a unified configuration and reporting interface through
Tripwire Manager.32
FILE INTEGRITY CHECKER: AIDE
AIDE - Advanced Intrusion Detection Environment. A free integrity checker with similar features to the
academic release of Tripwire. http://sourceforge.net/projects/aide
33
FILE INTEGRITY CHECKER: AIDE
The differences between AIDE and various Tripwire versions:1. AIDE is maintained through a steadier development cycle
than the academic version of Tripwire, which is no longer maintained. The commercial version of Tripwire is being developed much more actively.
2. AIDE runs on a wide range of UNIX platforms, but unlike the commercial version of Tripwire, it does not run on Windows.
3. AIDE does not cryptographically sign its baseline database, making
4. it more difficult to ensure the integrity of its findings. (The academic version of Tripwire does not do this either.) 34
NETWORK CONNECTION MONITORS Now that you know how to detect unauthorized changes to the host's
file system, let's switch our attention to monitoring another critical aspect of the host's operation: its network connectivity.
Specifically, we want to use available data about network connections that attempts to initiate or terminate on the host to detect malicious behavior.
The impetus behind connection monitoring is similar to the one in network IDS products that run in promiscuous mode to examine network streams for multiple hosts and devices.
A host-based IDS, however, can also associate network sockets with specific processes and users on the system, and it can be tuned to the exact characteristics of the host.
Additionally, host-based network-monitoring software is unlikely to be overwhelmed by the voluminous network traffic that continues to push the limits of network IDS performance.
35
NETWORK CONNECTION MONITORS: BLACKICE
One popular HIDS product for monitoring the system's network connections is BlackICE (http://blackice.iss.net/), produced by Internet Security Systems (ISS).
There are two versions of the software: BlackICE PC Protection runs on Windows-based operating
systems and is optimized for protecting a workstation, BlackICE Server Protection offers similar capabilities for
servers.
36
NETWORK CONNECTION MONITORS: BLACKICE Whenever BlackICE observes a suspicious network connection
that targets its host, it creates a log for this event. A host-based firewall would typically create an individual record for
each blocked packet. The IDS mechanism in BlackICE is able to group events associated
with multiple offending packets into a single log entry that identifies the attack.
For example, BlackICE can correlate several suspicious packets as being a single port scan. Instead of logging each packet that comprised the scan, BlackICE creates a single entry in the log.
However, BlackICE can be configured to capture full packets that it identifies as belonging to an attack sequence and log them for future analysis.
In addition to performing IDS services, BlackICE comes with a built-in host-based firewall that can block unauthorized inbound and outbound connections.
37
DEMO ON BLACKICE
You can see a demo how the BlackICE works at
http://blackice.iss.net/demo.php
38
NETWORK CONNECTION MONITORS: PORTSENTRY
PortSentry (http://sourceforge.net/projects/sentrytools/) It can detect port scans and other unauthorized
connection attempts to the system. Freely available, and can run on most UNIX operating
systems. When PortSentry detects a network-based attack, it can
block the attacking host by automatically reconfiguring the compatible firewall on the local host or by placing an appropriate entry into the hosts.deny file used by TCP Wrappers.
39
NETWORK CONNECTION MONITORS: PORTSENTRY For example, the following are Syslog records that document
PortSentry actions when it detects a port scan coming from 192.168.44.1:
Jan 19 10:35:57 localhost portsentry[1252]: attackalert: TCPSYN/Normal scan from host:
192.168.44.1/192.168.44.1 to TCP port: 13Jan 19 10:35:57 localhost portsentry[1252]: attackalert: Host 192.168.44.1 has
been blocked via wrappers with string: "ALL: 192.168.44.1“Jan 19 10:35:57 localhost portsentry[1252]: attackalert: TCP SYN/Normal scan
from host:192.168.44.1/192.168.44.1 to TCP port: 21
Jan 19 10:35:57 localhost portsentry[1252]: attackalert: Host: 192.168.44.1/192.168.44.1 is already blocked Ignoring
PortSentry detected an unauthorized connection to TCP port 13 on the local host. It responded by reconfiguring TCP Wrappers in an attempt to block subsequent connections from the offender.
40
LOG FILE MONITORS
Host's log files – include system, audit, authentication, and application events.
Log file monitors observe the contents of logs and alert administrators when suspicious events are detected.
have the benefit of being able to observe events generated by multiple security components on the host.
41
LOG FILE MONITORS: EXAMPLE TOOLS Swatch
(its name stands for "simple watcher") and is available at http://swatch.sourceforge.net/.
free and runs on most UNIX operating systems. configure Swatch to email the administrator when it locates a
line with the string attack alert in a Syslog record. Logcheck
(http://sourceforge.net/projects/sentrytools/). Unlike Swatch, it does not monitor logs in real time; it runs
periodically and emails alerts in batches. This helps the administrator to limit the number of email
messages that he receives, but it might also delay the administrator's response to an attack.
42
LOG FILE MONITORS: EXAMPLE TOOLS
Log file monitoring utilities are available for Windows platforms as well:
TNT ELM Log Manager (http://www.tntsoftware.com/)
LANguard Security Event Log Monitor (http://www.gfi.com/lanselm)
43
SUMMARY
Now that you understand the roles that host-based IDS plays when operating as part of a network's security perimeter and different types of host-based IDS solutions.
Multiple sources for data can be used to perform intrusion detection at the host level.
The primary reason for wanting to look at the host's file system, log files, and network connections is because the malicious activity on a host can exhibit itself in multiple ways.
44