2. WHAT IS INTRUSION ?
DEFINITION : An intrusion can be defined as
a subversion of security to gain access to a
system. This intrusion can use multiple
attack methods and can span long periods
of time.
These unauthorized accesses to computer or
network systems are often designed to study the
system’s weaknesses for future attacks.
Other forms of intrusions are aimed at limiting
access or even preventing access to computer
systems or networks.
3. TYPES OF INTRUSION
Unauthorized access to the resources
Password cracking
Scanning ports and services
Spoofing e.g. DNS spoofing
Network packet listening
Stealing information
Unauthorized network access
Uses of IT resources for private purpose
Unauthorized alternation of resources
Falsification of identity
Information altering and deletion
Unauthorized transmission and creation of data
Configuration changes to systems and n/w services
4. TYPES OF INTRUSION (Contd)
Denial of Service
Flooding
Ping flood
Mail flood
Compromising system
Buffer overflow
Remote system shutdown
Web application attack
5.
6. TYPICAL INTRUSION SCENARIO
-Find as much as info. As possible
Information Gathering -whois lookup and DNS Zone transfers
-Normal browsing ; gather important info.
-ping sweeps, port scanning
Further Information Gathering -web server vulnerabilities
-version of application/services
-start trying out different attacks
Attack ! - UNICODE attack if has IIS installed
-try to find misconfigured running services
-Passive Attack / Active Attack
-install own backdoors and delete log files
Successful Intrusion -replace existing services with own Trojen horses
that have backdoor passwords or create own
user accounts
- Steal confidential information
- Use compromised host to lunch further 6
Fun and Profit attacks
- Change the web-site for FUN
8. FACTS !!!
Anti-virus systems are only good at detecting viruses
they already know about
Passwords can be hacked or stolen or changed by
other
Firewalls DO NOT recognize attacks and block them
Simply a fence around your network
no capacity to detect someone is trying to break-in(digging
a hole underneath it)
Can’t determine whether somebody coming through gate
is allowed to enter or not.
Roughly 80% of financial losses occur hacking from inside
the network
“BEWARE OF INTERNAL INTRUDERS”
9. WHAT IS AN IDS ? ?
IDS : System trying to detect and alert on attempted
intrusions into a system or network .
Reactive rather than proactive !!
Sometimes provides diagnostic information as well .
Usually does not prevent unauthorized users from
entering the network, only identifies that an intrusion
has occurred .
10. CAPABILITIES OF AN IDS
Identify possible incidents
detect an attacker has compromised system
Report administrator
Log information
keep log of suspicious activities
Can be configured to
Recognize violations of security policies
Monitor file transfers
Copying a large database onto a user’s laptop
11. WHY IDS WHEN WE HAVE
FIREWALLS ?
IDS are used to monitor the rest of the security
infrastructure
Today’s security infrastructure are becoming
extremely complex .
It includes firewalls, identification and
authentication systems, access control product,
virtual private networks, encryption products, virus
scanners, and more.
Failure of one of the above component of your
security infrastructure will render the system less
secure .
12. Not all traffic may go through a firewall
i:e modem on a user computer
Not all threats originates from outside. As networks uses
more and more encryption, attackers will aim at the
location where it is often stored unencrypted (Internal
network)
Firewall does not protect appropriately against
application level weakenesses and attacks
Firewalls are subject to attacks themselves
Protect against misconfiguration or fault in other security
mechanisms
13. REAL LIFE ANALOGY !!
It's like security at the airport... You can put up all the
fences in the world and have strict access control, but the
biggest threat are all the PASSENGERS (packet) that you
MUST let through! That's why there are metal detectors
to detect what they may be hiding (packet content).
You have to let them get to the planes (your application)
via the gate ( port 80) but without X-rays and metal
detectors, you can't be sure what they have under their
coats.
Firewalls are really good access control points, but they
aren't really good for or designed to prevent intrusions.
That's why most security professionals back their
firewalls up with IDS, either behind the firewall or at the
host.
14. CHARACTERISTICS OF IDS
Scalability : The IDS system must be able to
function in large (and fast) network architectures .
Low rate of false positives alerts : A false positive
is, essentially, a false alarm .
No false negative instances : A false negative is an
instance when the network or system was under
attack, but the IDS did not identify it as intrusive
behavior, thus no alert was activated .
Allow some anomalous events : without flagging
an emergency alert. This doesn't mean it should
allow true malicious behavior, but it should be
flexible/smart enough to allow for the occasional
user mistake or communication blip .
16. INFORMATION SOURCE
All IDS need an information source in which to monitor
for intrusive behavior.
The information source can include: network traffic
(packets), host resource (CPU, I/O operations, and log
files), user activity and file activity, etc.
The information can be provided in real-time or in a
delayed manner.
17. ANALYSIS ENGINE
The Analysis Engine is the “brains” behind IDS.
This is the actual functionality that is used to identify the
intrusive behavior.
As mentioned previously, there are many ways in which
IDS analyze intrusive behavior.
The majority of IDS implementations differ in the
method of intrusion analysis.
18. RESPONSE
Once an intrusive behavior is identified, IDS need to
be able to respond to the attack and alert the
appropriate individuals of the occurrence.
Response activities can include: applying firewall
rules to drop traffic from a particular source IP, host
port blocking, logging off a user, disabling an
account, security software activation, system
shutdown, etc.
19. ALERTING MEASURES
Alerting measures are used to bring the attack to the
attention of the proper individuals supporting the
environment.
For example,
• an IDS alert can include an active measure, which may be sending
an email or text page to the system administrator,
• or it could simply write a detailed log of the event, which is a passive
measure.
22. ANOMALY DETECTION BASED IDS
Anomaly Detection:
Assumption: “Attacks differ from normal behaviour”
Analyses the network or system and infers what is “normal”
(Establishes a “normal activity profile”)
Activity measures such as “normal” behaviour as an intrusion
Interprets deviations from thisActivity measures such as
CPU time used, number of Adjustment of threshold levels
CPU time used, number of
is very important
network connections in anetwork connections in a
update profile
time period time period
statistically
deviant? Attack
Audit Data System Profile
State
generate new profiles dynamically
23. METHODS
THRESHOLD DETECTION - Threshold detection is
the process in which certain attributes of user and
computer system behavior are expressed in terms of
counts, with some level established as permissible .
For example,
such behavior attributes can include the number of files accessed by a
given user over a certain period of time,
the number of failed attempts to login to the system,
the amount of CPU utilized by a process, etc.
24. STATISTICAL MEASURES : These measures can be
parametric or non-parametric.
Parametric measures are used when a distribution of the
profiled attributes is assumed to fit a particular pattern
(a standard probability distribution function ).
Non-parametric measures are used when the
distribution of the profiled attribute is gathered from a
set of historical values observed over time.
25. ADVANTAGES
Very effective to detect unknown threats
Example :
Suppose computer is infected with a new type of malware. The
malware consumes large computer’s processor resources and send
large number of emails, initiating large number of network
connections. This is definitely a significantly different behavior from
established profiles.
It can produce information from the intrusive attack
that can be used to define signatures for misuse
detectors.
26. DISADVANTAGES
Current implementations do not work very well (too
many false positives/negatives)
Cannot categorize attacks very well
Difficult to train in highly dynamic environments
The system may be gradually trained by intruders
High false alarm rate
All activities excluded during training phase
Making a profile is very challenging
27. SIGNATURE DETECTION BASED
Misuse Detection
IDS
Attacks are known in advance (signatures)
Matches signatures of well-known attacks against state-change
in systems or stream of packets flowing through network
The attack signatures are usually specified as rules
Example of signatures :
A telnet attempt with username “root” which is violation of an organization’s
security policy
An e-mail with a subject “Free Pictures” and an attachment “freepics.exe” -
characteristics of a malware
modify existing rules
Rule
match? Attack
Audit Data System Profile State
add new rules
28. ADVANTAGES
Very few false alarms
Very effective to detect previously known threats
FAST- There isn’t a need for the IDS to “learn” the
network behavior before it can be of use.
Easy to implement, deploy, update and understand
29. DISADVANTAGES
Cannot detect previously unknown attacks .
Constantly needs to be updated with new rules that
represent newly discovered attacks or modified existing
attacks .
As good as the database of attack signatures .
30. HOST-BASED IDS
These are confined to monitoring activity on the local host
computer .
Uses log files and network traffic in/out of that host as
data source (audit data) .
Monitors:
Incoming packets
Login activities
Root activities
File systems
Application logs such as syslog
Host based IDS might monitor
Wired and wireless network traffic
Running process; file access/modification
31.
32. TYPES OF HIDS
Centralised host-based intrusion detection
system .
Distributed host-based intrusion detection
system .
36. ADVANTAGES
Direct system information access. Since in distributed
HIDS , IDS exist directly on the host system, it can
directly access local system resources (operating system
configurations, files, registry, software installations, etc).
Can associate users with local computer processes.
Since a host is part of the target, a HIDS can provide
detailed information on the state of the system during the
attack.
Low resource utilization: HIDS only deal with the
inspection of traffic and events local to the host.
37. DISADVANTAGES
The implementation of HIDS can get very complex in
large networking environments. With several thousand
possible endpoints in a large network, collecting and
auditing the generated log files from each node can be
a daunting task .
If the IDS system is compromised, the host may cease
to function resulting in a stop on all logging activity .
Secondly, if the IDS system is compromised and the
logging still continues to function , the trust of such
log data is severely diminished .
38. NETWORK-BASED IDS
IDS are placed on the network, nearby
system(s) being monitored
Monitors network traffic for particular
network segments or devices
Sensors placed on network segment to check
the packets
Primary types of signatures are
String signature
Port Signature
Header Condition Signature
39. String Signature
Look text/string that may indicate possible attack
Example: UNIX system “cat” “+ +” > /.rhosts”
Port Signature
Watch for connection attempts to well-known,
frequently attacked ports
Example : telnet (TCP port 23)
Header Signature
Watch for dangerous or illogical combination of
packet headers
Example : TCP packet with both SYN and FIN flags
set
Request wished to start and stop the connection at
the same time.
40.
41. TYPES OF NIDS
The network interface card placed in
promiscuous mode to capture all network
traffic .
Network-node intrusion detection system
that is used to sniff packets directed to a
mission-critical target .
42. ADVANTAGES
Trace activity
Complements:
Firewalls – NIDS can interact with firewall
technologies to dynamically block recognized
intrusion behavior.
System Management Competencies
Monitoring
Security Audits
Attack Recognition
Response
43. DISADVANTAGES
Cannot reassemble all fragmented traffic
Cannot analyze all data or deal with packet-level
issues
Firewalls serve best
IDS sensors are susceptible to various attacks
- Large volume of traffic can crash IDS sensor itself
45. INTERVAL-BASED IDS
work on audit logs
Audit data is processed periodically, not real-time
data mining
46. ON-THE-FLY PROCESSING
audit data is processed real-time continuously
may react and prevent an intrusion still going on
47. IDS MODELS
Predective Pattern Generation
Fuzzy Classifiers Anomaly Detection
Neural Networks
Support Vector Machines
Expert Systems
Decision Trees
Misuse Detection
Keystroke Monitoring
State Transition Analysis
Pattern Matching
48. PREDICTIVE PATTERN
RECOGNITION
Try to predict future events based on event
history
e.g. Rule: E1 - E2 → (E3 = 80%, E4 = 15%, E5 = 5%)
E3
p = 0.8 Intrusion:
Left-hand side of the rule is matched but the right-
E1 E2 E4
hand side is statistically deviant from prediction
p = 0.15
p = 0.05
E5
49. Fuzzy Classifiers (1)
data mining
No clear boundary between
normal and abnormal
events
Selection of features
Number of abnormal MEDIUM MEDIUM
packets (invalid source or
destination IP address) 1 LOW LOW MEDIUM HIGH HIGH
Number of TCP connections
Number of failed TCP
connections
Number of ICMP packets
Number of bytes sent /
received per connection 0
5 10 25 50 100
… fuzzy space of 5 fuzzy sets
49
50. Fuzzy Classifiers (2)
Detecting a Port Scan
if count of UNUSUAL SDPs on port N is HIGH
and count of DESTINATION HOSTS is HIGH
and count of SERVICE Ports observed is MEDIUM-LOW
then Service Scan of Port N is HIGH
Detecting a DoS Attack
if count of UNUSUAL SDTs is HIGH
and count of ICMPs is HIGH
then DoS ALERT is HIGH
SDP: source IP - destination IP - destination port
SDT: source IP - destination IP - packet type 50
51. Neural Networks – IDS Prototypes
(1)
Perceptron Model
simplest form of NN
single neuron with adjustable synapses (weights) and threshold
inputs threshold
x1 w1
x2 w2
.
.
output y
. Wn-1
xn-1 n ?
xn
wn Σ xi · wi > threshold
i=1
51
52. Neural Networks – IDS Prototypes
(2)
Backpropagation Model
Multilayer feedforward network
input layer + at least one hidden layer + output layer
Correct detection rate ≈ 80% with 2% false alarms
x1
x2
.
.
.
xn
input layer hidden layer output layer 52
53. Neural Networks – Data
Preprocessing
1st round: Selection of data elements
protocol ID, source port, destination port, etc.
2nd round: Creation of relational databases
Prt Src Dest. Source Dest. ICMP ICMP Raw Data Attack
ID Port Port Addr. Addr. Type Code Data ID
Len.
0 2314 80 1573638018 -1580478590 1 1 401 3758 0
0 1611 6101 801886082 -926167166 1 1 0 2633 1
3rd round: Conversion of query results into an ASCII comma
supervised learning
delimited normalized format
0,2314,80,1573638018,-1580478590,1,1,401,3758,0
0,1611,6101,801886082,-926167166,1,1,0,2633,1
53
54. Neural Networks –
Detection Approaches (1)
Detection by Weight Hamming Distance
Let Vn = {0,1}n be the n-dimensional vector space
over the binary field {0,1} where n = 0,1,…,∞
Let A,B Є Vm
i=m
Σ Wi (Ai ) • Find WHD between
normal and current
i=1
whd(A) = behaviour.
m
• If WHD > threshold
then ALARM
where Wi is the weight element
54
55. Neural Networks –
Detection Approaches (2) NEW!
Improved Competitive
Learning Network
When a training example is
presented to the network,
the output neurons
compete
Winning and losing
neurons update their
weight vector differently
Learning rate
Neurons become Effect of Distance of winning
ICLN Update Rules
neuron – current neuron
specialized to detect
different types of attacks Δw = - η x (dc - dj) x (Input-w)
55
56. SVM / Support Vector
Machines (1)
List of n-Features
Feature Description
Name F: n-dimensional
feature space
Duration Length of connection
(seconds)
Protocol TCP, UDP, etc.
Type
Service Network Service on Training period:
Destination
(HTTP, Telnet, etc.) SVMs plot the training
vectors in F and label
Root_shell 1: root shell is obtained
each vector
0: otherwise
Num of file # of file creation SVs make up a decision
creations operations boundary in the feature
… space
56
57. SVM / Support Vector
Machines (2)
e.g. n = 2 features
num_failed_logins: number of failed login attempts
num_SU_attempts: number of “su root” command attempts
num_SU_attempts
We feed the system with labeled
vectors
The system automatically draws the
5 boundaries or hyperplanes by an
algorithm
safe
5 num_failed_logins
57
58. Expert Systems (forward-chaining)
IF
condition1 When the conditions are
conditon2 Antecedent satisfied, the rule is activated.
...
THEN
derived_fact1 Consequent
derived_fact2
...
58
59. Sample Grammar for Expert
Systems for Inference Rules
BNF Grammar
Variable Definition
‘VAR’ body_1
body_1 := var_name var_value
var_value := list_of(value) | value
Detection Rules
‘RULE’ Id body_2
Id := value /* Id is the identifier of the rule */
Body_2 := list_of(condition) | condition ‘=>’ alert
condition := feature operator term
operator := contain | = | in | > | <
term := value | list_of(value) | var_name
Action Rules
‘BEHAVIOUR’ body_3
body_3 := condition ‘=>’ action_argument
condition := boolean expression
action := update | log | exit | continue
59
60. Decision Trees
• All nodes are represented by a
root = (null, All Rules, ∅, ∅) tuple (C, R, F, L)
C = condition
root
(feature, operator, value)
R = set of candidate detection rules
F = feature set (already used to
decompose tree)
L = set of detection rules matched at
that node
60
63. LIMITATIONS OF IDS
Sensitivity : IDS can never be perfect .
Does not compensate for problems in the quality or
integrity of information the system provides
Does not compensate for weaknesses in network
protocols
Dependent on human intervention to investigate attacks
Does not analyze all the traffic on a busy network