Intrusion Detection CS480 b Dick Steflik Hacking Attempts

Intrusion Detection CS-480 b Dick Steflik

Hacking Attempts • IP Address Scans • scan the range of addresses looking for hosts (ping scan) • Port Scans • scan promising ports for openness (80, 21, …) • Service Evaluation • determine the OS • Target Selection • pick the most vulnerable host, most running services. . . • Vulnerability Probes • Automated password attacks • FTP, HTTP, Net. BIOS, VNC PCAnywhere…. • Application specific attacks • try known vulnerabilities on present services

Intrusion Detection Systems (IDS) • Inspection Based (Signature Based) • Uses a database of known attack signatures • observe the activity on a host or network and make judgements about whether or not an intrusion is in progress or has taken place • look for known indicators – ICMP Scans, port scans, connection attempts – CPU, RAM I/O Utilization – File system activity, modification of system files, permission modifications • Anomaly Based • baseline the normal traffic and then look for things that are out of the norm • Variations of IDS • Rule based • Statistical • Hybrid

Decoys/Honeypots • Purposely place an incorrectly configured or unprotected system where it is easily found so that a hacker will try to use it as an attack vector. • All accesses will set off alarms that indicate an intrusion is in progress

IDS Systems • Tripwire • Windows or UNIX • alarms on modification to system files • • c: WINNTsystem 32 • Cyber. Cop • Network Assoc. – suite of 4 ID tools • Sun/Symantec • i. Force IDS Appliance • Sun/Solaris and Symantec’s Man. Hunt IDS – ID Analysis at 2 Gbits /sec – Man. Hunt uses distributed network sensors and a variety of methods to identify threats, including protocol-anomaly detection, signature detection, traffic-state profiling and statistical flow analysis.

SNORT • Open Source ( http: //www. snort. org ) • Uses: • Packet Sniffer • produces a tcpdump formatted output • Packet Logger • can log packets so that after-the-fact data mining tools can be used for analysis – Traffic Debugging and Analysis • Can design a ruleset that recognizes certain traffic patterns • Can do both anomaly based and Inspection based detection • SPADE (Silicon Defense) – a SNORT preprocessor that logs anomalies for later analysis

Active. Scout • Fore. Scout Technologies ( http: //www. forescout. com ) • Intrusion Prevention Tool • Method: • Watches for hacker reconnaissance (port scans, Net. Bios Scans, ect. ) • Return bogus info to hacker • If hackers attempts to break in with the bogus data Active Scout sets off alarms or block any further traffic for the intruder • Downside: only works in conjunction with Check Point’s Firewall-1 • Requires little administration and eliminates many false positives • Cost w/T 1 port is about $10 K

Manhunt • Symantec Corp. ( http: //www. symantec. com ) • Advanced Threat Management System • Signature based hybrid detection • protocol anomaly detection • traffic rate monitoring • protocol state tracking • IP packet reassembly to provide a level of detection superior to other, signaturebased systems. These detection capabilities can identify threats in real time, eve • Real-time Analysis and Correlation • • • collects information from security devices throughout the network to spot trends Automatic Policy Based Responses Scaleable Across Geographic Areas of an Enterprise • one Manhunt can be configured across 10 network segments

Watson Researchers • • Kanad Ghose Doug Summerville Viktor Skormann Mark Fowler