Intrusion Detection Systems

Intrusion Detection Systems

1980-Paper written detailing importance of audit data in detecting misuse + user behavior

1984-SRI int’l develop method of tracking and analyzing of users of ARPANET, resulting 1st IDS

1988-Haystack project - IDS based on using defined patterns of misuse, resulting in Distributed IDS

1990-Todd Heberlein - Network Security Monitor – 1st network monitor, lots of interest leading to commercial development, leading to the IDS boom we see today.

What are Intrusion Detection Systems?

Not a firewall!

Firewall is just that; a wall (allow/deny) IDS is a monitoring system; it takes notes

of what is going on, and reports it to someone else to deal with.

What are Intrusion Detection Systems?

Sensors -> report security eventsConsole -> monitor events/alerts

control sensorsEngine -> logs events reported by sensor

generate alerts based upon security rules

Can have all 3 components in a single place

Types of IDSBased upon where the sensors are placed in

the system as well as the rules used to generate alerts

Network IDSHost-based IDS

IDS

Network IDS Ideally scan all, but not always practical

Examines network traffic connected to network device allowing port mirroring or network tap

Signature vs anomaly based

Network IDSSignature Based (knowledge based)

most IDS are signature based works like antivirus software – looks

for attempts to exploit known vulnerabilities

This type is ineffective if an exploit type is unknown to the system

Network IDSAnomaly based (behavior based)

This type observes the deviation from “normal” behavior of the system.

Not vulnerable to new/unforeseen vulnerabilities

High “false positive” rate; requires a “learning phase” and subsequent “retraining” as network changes.

Host based IDS Host based

Individual devices Monitors PC – sys calls, app logs, file mods Single device only! Alerts user/admin if detected

Hybrid IDS Hybrid systems

Can be combination of these systems Such as host based + network based

With the host reporting to the network based system for a more comprehensive protection

Passive VS Reactive IDS Among the variety of “flavors” of IDS they

can be categorized into two major groups:

Passive Systems work by simply monitoring, detecting and alerting

Reactive Systems perform any necessary action or actions to a detected threat

I just found a threat, user

Passive IDS Monitors System for any suspicious or

malicious intrusion If found, evaluates it to determine whether

it is a threat If detected as so, generates and sends an

alert to user Up to the user to take action

Reactive IDSAlerts console user and attempts to respond

according to security rules/capabilities reprogram firewall reset connections block IP addresses

Typically called Intrusion Prevention SystemEssentially a firewall with network and

application level filtering

I found a threat and I’m taking care of it, oh yeah

IDS Evasion Techniques Closely related to network attack methods Designed to avoid detection by the IDS Some basic and commonly known

methods to attack IDS are through: String matching weaknesses Session assembly weaknesses Denial of service techniques

String Matching Weaknesses

Easiest to implement and understand Most IDS strong dependency on string

matching Using variants, string manipulation

techniques, and character substitution techniques so strings don’t match

Strings don’t match no threat is detected

Session Assembly Weakness Works by dividing string across several

packets Data will be delivered a few bytes at the

time with modified IP packets to evade string match

To defend IDS should fully understand session (difficult and processor intensive)

Denial of Service Technique Characterized by preventing legitimate

users of a service from using that service Examples

Consume device’s processing power Fill up disk space More alarms than can be handled by

management systems Personnel not being able to investigate all the

alarms Device lock up

Towards the Future IDS vendors and hardware will have to

keep a pace with all the switched networks and traffic increases

The future of IDS lies in data correlation AI Data mining

Future IDS, produce result by examining input from different sources

Conclusion Nearly every company dependent on

Internet to survive, so IDS here to stay Also as technology advances for new IDS

so does the possibility of new threats Security issues are always present However promising future

Statistical Analysis Predictive AI