Computer Security Intrusion Detection Systems Intrusion Detection Systems

  • Slides: 32
Download presentation
Computer Security Intrusion Detection Systems

Computer Security Intrusion Detection Systems

Intrusion Detection Systems System monitoring software n n n Observe various events Developed to

Intrusion Detection Systems System monitoring software n n n Observe various events Developed to monitor suspicious activity Optionally, report or respond to such activity Two major dimensions n Misuse-based vs. Anomaly-based Need both for maximum security n Host-based vs. Network-based (NIDS) also Distributed (combination of host and network)

Intrusion Detection Systems (2) Same general problems as with virus detection False Positive n

Intrusion Detection Systems (2) Same general problems as with virus detection False Positive n n n Non-intrusion causes an alarm Example: printer driver scans subnet for printer Can be physical, software or user cause False Negative n n Intrusion does not cause an alarm Example: stealth scan False positive rate = #FP / #Normal Events False negative rate = #FN / #Intrusions some material from Nick Hopper

Base Rate Fallacy Suppose: n n 10 M network flows per day 100 flows

Base Rate Fallacy Suppose: n n 10 M network flows per day 100 flows are genuine intrusions Suppose we add IDS with false positive rate of 0. 1%. Then: n n There are 10 K false alarms 99. 9% of alarms are false positives We need a FPR of just 0. 001% to make 50% of alarms real some material from Nick Hopper

Host Based Intrusion Detection Systems Dependent on operating system Main activities n n Check

Host Based Intrusion Detection Systems Dependent on operating system Main activities n n Check system logs Monitor user logins Monitor processes Look for trojans Advantages: can be quite sophisticated Disadvantages: n n Deal with known problems Active: consume CPU cycles

Host-Based IDS - Details Events to watch n n n Creation of accounts Protection

Host-Based IDS - Details Events to watch n n n Creation of accounts Protection violations (actual, attempted) Logins Failed Logins Kernel activity as well as user activity

Other Tools for Host-Based Intrusion Detection Linux n n n last (user analysis) lsof

Other Tools for Host-Based Intrusion Detection Linux n n n last (user analysis) lsof (file analysis) tripwire (file analysis) chkrootkit (file analysis) swatch (log file analysis) Windows n n Microsoft Port Reporter GFI LANguard System Integrity & Event Log Monitor http: //www. extralan. co. uk n sysinternals tools http: //www. sysinternals. com

last displays list of recent user logons Usage: last (-N) n E. g. last

last displays list of recent user logons Usage: last (-N) n E. g. last -20 // display last 20 users

lsof Lists open files on your system Useful to see what processes are working

lsof Lists open files on your system Useful to see what processes are working with what files, possibly identify tampering Usage: lsof n E. g. lsof | more // one screen at a time

tripwire (http: //www. tripwire. org ) n n n uses digital hashing (MD 5)

tripwire (http: //www. tripwire. org ) n n n uses digital hashing (MD 5) to create secure file signatures change in file size and/or signature potentially shows intrusion database now signed itself, but still best to store it on write-protected media/hw expanded to define policy language for what to monitor Linux version is open source; commercial Windows version available Security usage: identify presence of tampered files, symptomatic of rootkits

chkrootkit Root Kit / rootkit – a package of cracker tools placed on a

chkrootkit Root Kit / rootkit – a package of cracker tools placed on a system for purposes of taking control or otherwise using it n n May include modified system utilities (e. g. ls, ps) Examples: t 0 rn, HKRK, Romanian, others… chkrootkit - program to check system for common root kits Checks n common files for substitutions based on known signatures, not just changes n n evidence of rootkit runs other suspicious files and directories

Responding To Root Kits If minimal number of files affected, may be able to

Responding To Root Kits If minimal number of files affected, may be able to replace those files from original media If larger infection, may have to re-image system n Can be difficult to eradicate all traces

swatch Log file watcher Many log files to watch n n n /var/log/messages /var/log/secure

swatch Log file watcher Many log files to watch n n n /var/log/messages /var/log/secure More in separate directories httpd samba (smb) snort Goal: automatically be notified when a (certain type of) log file entry is made

Fail 2 ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that

Fail 2 ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

Fail 2 ban Client/Server architecture. Multi-threaded. Highly configurable. File Alteration Monitor (FAM)/Gamin (subset of

Fail 2 ban Client/Server architecture. Multi-threaded. Highly configurable. File Alteration Monitor (FAM)/Gamin (subset of FAM) support. Parses log files and looks for given patterns. Executes commands when a pattern has been detected for the same IP address for more than X times. X can be changed.

Fail 2 ban After a given amount of time, executes another command in order

Fail 2 ban After a given amount of time, executes another command in order to unban the IP address. Uses Netfilter/IPtables by default but can also use TCP Wrapper (/etc/hosts. deny) and many other actions. Handles log files rotation. Can handle more than one service (sshd, apache, vsftpd, etc). Resolves DNS hostname to IP address.

Fail 2 ban GUI

Fail 2 ban GUI

Windows Tools Many tools available for help in intrusion detection (as well as previous

Windows Tools Many tools available for help in intrusion detection (as well as previous steps) Several from www. sysinternals. com n n n Process Explorer (process monitoring, including CPU usage) TCP View (process monitoring, including local and remote addresses, port numbers and status) Autoruns (service start-up monitoring) Essential Net Tools n Many components, including many basic tools as in Sam Spade, netstat, process monitoring (including a 2 -minute bar graph of CPU usage)

Network Based Intrusion Detection Systems (NIDS) High level: packet sniffers n n n Examine

Network Based Intrusion Detection Systems (NIDS) High level: packet sniffers n n n Examine network traffic Compare actual traffic to known attack patterns If find these patterns/signatures, theorize that intrusion taking place Advantage: passive (analyzing network, not particular system – hard to detect) Disadvantages n n Switches can reduce amount of visible traffic to analyze Packet fragmenting can fool system

Misuse-Based Detection Signature checking Approach: n n Collect information about known attack methods and

Misuse-Based Detection Signature checking Approach: n n Collect information about known attack methods and types, such as Src. Addr, Src. Port, Dst. Addr, Dst. Port, Protocol, and Packet Contents Create and look for signatures; e. g. A Code Red packet A port scan Etc. some material from Nick Hopper

Misuse-Based Detection (2) Language to specify intrusion patterns Lots of state in pattern matching

Misuse-Based Detection (2) Language to specify intrusion patterns Lots of state in pattern matching engine Example Rule (SNORT rules format): n alert tcp any -> myip 21 (content: “site exec”; content: “%”; msg: “site exec buffer overflow attempt”; ) Assume myip is predefined Content string searchalgorithm: Boyer-Moore some material from Nick Hopper

Misuse-Based Detection (3) Advantages n n Very low false positive rate Automated extraction is

Misuse-Based Detection (3) Advantages n n Very low false positive rate Automated extraction is possible Disadvantages n n Only detects known attacks Simple changes to attack can defeat detection; e. g. Scan even ports, then scan odd ports (defeats looking for ascending port scan) “rm –rf /* -> “rm –rf. . /*” (defeats looking for literal remove command) some material from Nick Hopper

Anomaly-Based Detection Try to identify what is normal activity n n Protocols, session length,

Anomaly-Based Detection Try to identify what is normal activity n n Protocols, session length, intervals Combination of port/content Look for major deviations / outliers n Unusual target port, source address, or port sequence (scan) Can apply artificial intelligence/machine learning to “learn” what is normal Advantage: more robust to altered attacks some material from Nick Hopper

Anomaly-Based Detection (2) Problems n n n High false positive rate Attacks might not

Anomaly-Based Detection (2) Problems n n n High false positive rate Attacks might not be obvious until late in process / too late Attacks can hide in normal-looking traffic Requires training on known good data Normalcy is not a fixed concept E. g. , flash crowds, new users, new applications some material from Nick Hopper

Example NIDS: SNORT http: //www. snort. org Need to define signatures/rules n n available

Example NIDS: SNORT http: //www. snort. org Need to define signatures/rules n n available on internet, updated frequently current signature set only if pay Multiple level architecture n n n Main application (doing analysis) Web client – ACID (Analysis Console for Intrusion Databases) Barnyard – analysis of results

SNORT - more Now supports preprocessor analysis Problems with signatures n n False positives

SNORT - more Now supports preprocessor analysis Problems with signatures n n False positives – too wide a net False negatives – too narrow a net Preprocessors allow customizing n n Start using anomaly-based detection Customize rules based on users Examples n n stream 4 – TCP statefulness, session reassembly frag 2 – packet fragmenting/reassembly

Other NIDS Products Open Source n n n Untangle SNORT (Linux, Windows) Argus, SHADOW

Other NIDS Products Open Source n n n Untangle SNORT (Linux, Windows) Argus, SHADOW Black. ICE ISS Real. Secure

Other NIDS Products Open Source n Untangle list of bundled software (features) includes: Web

Other NIDS Products Open Source n Untangle list of bundled software (features) includes: Web Filter and Phishing Blocker Spam/Virus Blocking (Clam. AV) IPS/IDS (SNORT) Open. VPN Firewall/Router Reporting

Attacks on IDS Witty Worm – buffer overflow in a commercial IDS system Do.

Attacks on IDS Witty Worm – buffer overflow in a commercial IDS system Do. S n n On NIDS: crash system or overwhelm monitor Example: fill up NIDS log with activity Subterfuge n n Retransmits, NULs in packets, etc. “rob<DEL><BS>ot” material from Nick Hopper

More Information on IDS SANS IDS FAQ n http: //www. sans. org/resources/idfaq/

More Information on IDS SANS IDS FAQ n http: //www. sans. org/resources/idfaq/

Intrusion Prevention Systems The holy grail – prevent attacks from happening Requires the system

Intrusion Prevention Systems The holy grail – prevent attacks from happening Requires the system to be in-line with the traffic flow n n Analyze arriving traffic, accept or reject Generally work at application/content level But may have intelligence to analyze, not just match n Not same as firewall Can be network or system-based Possible problem: self-Do. S some material from Nick Hopper

Honeypots Honeypot: a closely monitored node set up as a decoy. Honeynet: two or

Honeypots Honeypot: a closely monitored node set up as a decoy. Honeynet: two or more honeypots Goals: n n Allow collection of information on attacker techniques Provide early warning about new attack and exploit trends some material from Nick Hopper