Intrusion Detection Dr. Gregory Vert. Intrusion Detection Definition: –Detection of an attack While it is going on Shortly after it has occurred.

Intrusion Detection

Dr. Gregory Vert

Intrusion Detection

• Definition:

– Detection of an attack

• While it is going on

• Shortly after it has occurred

Intrusion Detection

• Goal:– To thwart the attack– Conduct forensic investigation– Minimize damage– Learn how attack was conducted and improve

system security

Intrusion Detection

• General Theory behind ID– Actions of normal system processes and users

conform to a pattern that can be defined mathematically

– Users and processes are not trying to break the system

– Users and processes have a set of defined privileges and actions

Intrusion Detection

• In order to do intrusion detection build a system that monitors for changes in the previous assumptions

• Example – 90 % of cpu usage occurs between 8-5pm

– Users don’t usually browse the password files

– More than 3 failed login attempts my be an attack because users usually log in on the first time

Intrusion Detection

• Attack tools are– How systems are usually attacked– Are usually a piece of existing software– Are generally automated

• Want volume in an attack• Want to look at many computers and find a few that

are not secure• Want the computer to do the bulk of the work on the

attack

Intrusion Detection

• Example of Attack Tool– Root kits

• Replace existing operating system file

• Sniff passwords and network connections

• Run with root privilege

• E.g. ls, du, netstat, ifconfig (network device configurations)

• Run concealed

• Allow access to the hacker through a back door

• Denning – Hypothesis that exploitation of vulnerabilities

requires abnormal use of existing commands– Therefore look for abnormality in command

usage on system– Key idea behind detection

Intrusion Detection

Intrusion Detection

• Intrusion Detection Systems (IDS)– An automated system that looks for abnormal

patterns in:• system commands,

• usages

• Volumes

• Access to locations in system

• Failures

Intrusion Detection

• An IDS must be automated because– System logs contain tons and tons of

information– Often looking for 5-20 abnormal changes in

5000 lines of data– Slow attacks even worse to detect because

• Actions happen over extended period of times

• Logs don’t show adjacent sequences of activities

Intrusion Detection

• Good IDS has 4 characteristics (Bishop)– Detects a wide variety of attacks

• Not as simple as it sounds

• How can you detect an attack if you don’t know how it works and have never seen one before

• Class Ideas ?

Intrusion Detection

• Good IDS’s have 4 characteristics– Detect attacks in timely fashion

• How fast is fast enough

• Discussion ?

• Real time systems may bog down processing– Which is an attack in its own right

– A denial of service attack

Intrusion Detection

• Good ID’s have 4 characteristics– Must present analysis in a clear simple format

• Problems:

• False Positives– Thinks an attack is going on when it really is not

• False Negatives– Does not think an attack is going on when it really is

Intrusion Detection

• Good ID’s have 4 characteristics– Must be accurate

• The false X problem previous slide

– We only want to respond to the real stuff because:

• Time consuming

• May lead to actions that damage system without cause

• Draws resources away from dealing with a real attack that could start as you are investigating

Intrusion Detection

• Three systems models for an IDS

– Anomaly detection– Misuse detection– Specification detection

• new

Intrusion Detection

• Anomaly detection– Assumes that unexpected behavior is evidence

of an attack– Compare set of variables and their values to a

known set of variables– Tries to reason about an attack based on data

does not match– Usually done with statistics but could be done

with other variable techniques also

Intrusion Detection

• Anomaly Detection – Threshold approach

• When an variable(s) are above a certain level determine an attack

• Example:– number of failed logins for a given user id in 10 minutes

– disk usage

– # of packets on port x in time period n

Anomaly Detection

• Threshold approach problems– Users have different skill levels

• Example an asian user of an english comptur system

• Class ?

– One threshold generally applied to all– However approach can penalize new users by

locking them out of the system

Anomaly Detection

• Statistical Moment Approach– Instead of setting a threshold, calculate:

• Average

• Means

• Standard deviations

– Look for deviations from these variable

Anomaly Detection

• Statistical Moment Approach– Problems

• Data may change over time in unexpected ways– New users– Users become smarter

• Need to age data somehow to show how system is changing

• How do we do this ?• Generally a better system than thresholds• May use an expert system (Haystack, IDES)

Anomaly Detection

• State Machine Model – Series of events occur in regular sequences

– Certain events are more like to follow other events – state transitions

– When a low probability transition occurs then it is probably anomalous

– Draw: login, cd home dir -> open word processor

– Can be utilized in system calls: open, read, write, close

Anomaly Detection

• State Machine– Problems

• Need to know the events and sequences ahead of time

• Need training data

• System may change based on addition of new software

• Can only be run on the computer from which the training data is derived

Anomaly Detection

• What features and data variables to watch is critical in the success of AD

• Frank demonstrated that selection of the “best” features for a network activity classification program could be based on eliminating features based on the error rate they induce in classification of activity– He found that about 5 features was right for his study

Anomaly Detection

• Generally assumes a gaussian distribution– A bell curve that shows what is normal

• Some systems may cluster data by related values such as “read time” for a file and “cpu usage” for the read– Outliers – values that don’t fit into a cluster then can be

an attack

– Draw

Misuse Detection

• An attack by an insider who generally has authorized access

• Is rule based

• Looks for sequences of commands that knowing violate policy

• Example

Misuse Detection

• Rules are placed into a rule set

• Ids processes rules against system logs looking for violations of the rules

• Often involve expert systems because rules can be ambigous

Misuse Detection

• Cant detect attacks that are unknown – the attacks sequence of rule violations is not

known

• Can enhance systems to make them adaptive via petri nets

Misuse Detection

• IDIOT – Spafford, uses petri nets• Defines

– events – a change in system state• a record of the event

– transitions from one state to another on an event– transitions may have tests (guards) that check for

existence of variables in certain states and / or make assignments

– Can have separate transition branches that merge– Draw

Misuse Detection

• IDIOT classified attacks by categories:– existence – attack creates a file– sequence – attack causes several events to

occur sequentially– partial order – attack causes two or more

sequences of events that form an ordering over time

– interval – two events occur exactly n units of time apart

Misuse Detection

• IDIOT– monitors audit trail logs– STAT a similar system

• Ilgun

• No guards

• uses state tables

• looks at the sequence of command to e.g. get a forbidden priveledge

Specification Modeling

• Misuse detection looks for states known to be bad

• Specification modeling looks for states known to not be good – a possible intrusion

• Builds specifications for how a program should run

• Examines program for deviations from good states

Specification Modeling

• Ko developed a specification based IDS

• Monitored 15 security related programs

• Monitored on things like:– object access– synchronization of data– sequences of commands– race conditions

Specification Modeling

• They looked at rdist (remote distribution)

• Rdist updates programs on remote systems

• Problem is that rdist modifies permissions on files– replacing a file with a symbolic link to another

file, can get rdist to change permissions on that file

Specification Modeling

• SM – utilizes grammars to specify actions– grammars define acceptable activities– is a relatively new field– because it specifies what should happen

• unknown attacks can be detected

– Class drawbacks ?

Summary

• Misuse detection – detects violations of policy, implicit or explicit– need to develop rules, states, actions etc.– must have in a rule base– only detects attacks that are known

Summary

• Anomaly Detection– detects policy violations also– little more generalized than Misuse detection– uses statistics to find deviations

Summary

• Specification Modeling– must have rules for how a good program is

operating– need experts to define rules– can detect unknown attacks

Architecture

• IDS works off of audit trails

• Audit trails found in logs

• Best to collect log data from all over the system due to distributed attacks

• Generally constructed in 3 subsystems

Architecture

• Agent– an relatively autonomous piece of software that

collects data from a local machine– may format the data

• why ?

– sends the data to a centralized system– may weed data that is not deemed to be

important

Architecture

• Agents can be:– host based

• utilize system and application logs

• may be security logs or accounting logs

• a virtual agent can be in the kernel and write data to logs it finds interesting

• logs can be very large

Architecture

• Agents can be – networked based

• use devices and software to monitor network traffic

• used to detect network based attacks

• utilize sniffing

• monitor contents of packets

• must be arranged in a way to provide full network coverage

• encipherment makes this task a problem

Architecture

• Agents send formatted information to the director software

• Directors– eliminate unnecessary log entries – utilize an analysis engine to find attacks– usually are run on a separate system– adaptive directors may alter search rules (neural

network)

Architecture

• Notifier– accepts information from the director and takes

appropriate action– may notify a security officer via a gui– may be proactive in combating an attack

Systems to Look At

• Courtney – monitors for use of SATAN• SATAN – system for finding weaknesses in

Unix• IDIP – coordinates IDS’s on firewalls to

block attacks• NSM – develops profiles of system usage

and compares against profiles e.g. repeated telnet connections of short duration

Systems to Look At

• DIDS – distributed IDS based on NSM and works in conjunction with host based IDS’s– NSM is network based only

• AAFID – autonomous agents that report data, distributes components of IDS into pieces– eliminates a single point of failure, director is

distributed

Incident Response

• Ideally you want to – detect attack as it starts– take defensive measures– work automatically– can be very system resource intensive

• why ?

Incident Response

• Definition:– Jailing

• placing an attacker in a confined area of the system

• letting them think that they are inside the system

• allows one to observe the hacker

• sometimes referred to as a honey pot

• usually has a faked file system

• may intercept system calls and do something (kernel)

Incident Response

• Goal – to restore system to comply with security policy– replace / fix damaged resources

Incident Response

• Six phases:– preparation

• procedures and methods for detection

• backups

– identification• id the attack

• trigger for following phases

Incident Response

• Containment– limits the damage as much as possible– may not be possible if you have a real time

system– attacks generally probe for a while and then do

damage– you can get a chance to contain if you detect

probing

Incident Response

• Eradication– stops attack if done in real time– puts mechanisms in place to thwart other

attacks

• Recovery– restores system to pre atttack configuration– must detect what has been modified

Incident Response

• Response – Follow up– taking action against the attacker

• forensic investigation

• counter attack

• law enforcement

– fixing holes in your system– documentation of lessons learned– documentation of attack details

Details

• Containment– approaches

• passive monitoring – meant to record actions for later use

– examine goals and techniques of hacker

– a honeypot

• constraining actions of hacker– goal to prevent hacker from accomplishing aims

– problem, may not know what the goal is

Details

• Eradication– goal to stop the attack

– must insure it does not resume immediately

– my block attacks by placing wrappers around a suspected target

– wrappers control access

– want to embed wrappers in the kernel to make them hard to bypass

– Example

Details

• Eradication– good to place wrappers at the firewall– firewalls filter network traffic– example– IDIP – intrusion detection and isolation

protocol• are firewalls• work to communicate directly with each other• coordinate a response to an attack

Details

• Follow up – most common is to follow up with legal action– how to trace the attack for follow up

• thumb printing– monitor connections between any two host

– check for similar content moving across the connections

– method allows you to trace back to the source of the attack

– hackers may move through multiple hosts before attacking

– software needs to be small, effective and fast

Details

• Follow Up– may use IP header marking

• examine and mark contents of headers to trace an attack back to source

• don’t want to do this for every packet

• deterministic marking – marks every n packets using an algorithm

• marking is done in extra bits that are not utilized in ip headers

Details

• Follow Up– counter attacking

• filing criminal complaints– requires good chain of evidence to establish that attack

was real – not an accident or error

• technical attack– goal is to damage their system– problems

» may harm innocent parties» may have side effects – denial of service» may get you in trouble legally