Lesson 5 Intrusion Detection Systems. UTSA IS 3523 ID & Incident Response Overview History Definitions Common Commercial IDS Specialized IDS.

Lesson 5Intrusion

Detection Systems

UTSA IS 3523 ID & Incident Response

Overview

• History• Definitions• Common Commercial IDS• Specialized IDS

UTSA IS 3523 ID & Incident Response

Why Even Bother?

• “One of the problems with anomaly detection is that even the current best research systems have something like a 75% success rate.”

Marcus Ranum

Network Flight Recorder

UTSA IS 3523 ID & Incident Response

Intrusion Detection Defined

• The process of monitoring the events occuring in a computer system or network and analyzing them for signs of intrusions, defined as attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network.

UTSA IS 3523 ID & Incident Response

General Thoughts about ID

• No Defense is Impenetrable – Vulnerabilities exist to bypass system security

precautions– Automated tools exist to find and exploit vulnerabilities

• A methodology to detect and report suspicious host and network activity must be implemented

• IDS Goal: to characterize attack manifestations to positively identify all true attacks without falsely identifying non-attacks

• ID is an instance of the general signal detection problem

UTSA IS 3523 ID & Incident Response

Why use ID?

• Increase the perceived risk of discovery and punishment

• To detect attacks not prevented by other means• Detect and deal with probing• Document existing threats • QC for security design and admin• Forensics for improved security or prosecution

UTSA IS 3523 ID & Incident Response

Goals of IDS

• Accountability - “I can deal with security attacks that occur on my systems as long as I know who did it (and where to find them.)”

• Response - “I don’t care who attacks my system as long as I can recognize that the attack is taking place and block it.”

UTSA IS 3523 ID & Incident Response

History of ID

• 1980 - John Anderson’s: Computer Security Threat Monitoring and Surveillance

• 1987 - Dorothy Denning: An Intrusion Detection Model– Laid groundwork for commercial products

• First IDS, circa 1993: USAF ASIM

UTSA IS 3523 ID & Incident Response

Generic Intrusion Detection Model

EventGenerator

ActivityProfile

Rule Set/Detection

Engine

Create AnomalyRecords

Update ProfileState

DesignNewProfiles

Definenew &modifyexistingrulesCLOCK

Audit trails,network packetsapplication logs

UTSA IS 3523 ID & Incident Response

Model Components

• Rule Set - inference engine decides whether an intrusion has occurred

• or• Generic detector examing events and state

data using models, rules, patterns and statistics to flag intrusive behavior

• Activity Profile -• Maintains state of system or network being

monitored– Feedback critical– No architectural limitations– Rule base can learn if programmed

UTSA IS 3523 ID & Incident Response

Haystack

AuditData

Preprocessor

CanonicalAudit trail

Statistical Analysis

Reports

Unisys 1100

Z-248 PC

9-track Tape

UTSA IS 3523 ID & Incident Response

Intrusion Detection Expert System (IDES)

Audit Records Receiver

AuditData

Expert SystemActive Data Collector

AnomalyData

ActiveData

ProfileData

Profile Updater

Security AdminInterface

Anomaly Detector

UTSA IS 3523 ID & Incident Response

Multics Intrusion Detection and Alerting System (MIDAS)

CommandMonitor

AuditRecords

Preprocessor

Network InterfaceMultics

Fact Base Statistical Data Base

Rule Base

Symbolics

System Security Monitor

UTSA IS 3523 ID & Incident Response

Network Security Monitor (NSM)

Network Traffic

Packet Catcher FilterObject Detector

& analyzerReport

Generator

TrafficArchive

Network Profile – which systems normally connect to which others using what service.During a 2 month period, 110,000 connections analyzed at UC-Davis, NSM correctly

identified over 300 intrusions, only 1% had been detected by admins.

UTSA IS 3523 ID & Incident Response

Distributed IDS (DIDS)

DIDS Director

LAN Monitor

MonitoredHost

Unmonitoredhost

Unmonitoredhost

MonitoredHost

MonitoredHost

UTSA IS 3523 ID & Incident Response

Cooperating Security Monitors (CSM)

CommandMonitor

LocalIDS

IntruderHandler

CSM

UserInterface

OtherCSM’s

UTSA IS 3523 ID & Incident Response

Current IDS Trends

• Maturing• Manpower needs reducing• False alarm rates dropping• Dynamic, high-speed…stable• Integrating with other technology

UTSA IS 3523 ID & Incident Response

Type of IDS

• Signature based system– Attack description that can be matched to sense

attack manifestations

• Anomaly based detectors– equate “unusual” or “abnormal” as intrusions

UTSA IS 3523 ID & Incident Response

IDS Classification

Can base classification on what they sense– Network based systems (NIDS)

• Sense packets on a network segment• Easy to deploy, but they suffer throughout problems

– Host-based systems (HIDS)• Inspect audit or log data• Can affect performance on host

– Hybrids• Combine the best of both

UTSA IS 3523 ID & Incident Response

External ROUTER

INTERNET

Adversary

DMZ Server(s)

FIREWALL

INTERNALNETWORK

Intrusion DetectionSystem--Network Based“A Layer in the Defense”

Intrusion DetectionSystem

Other NetworkDefense

Tools

UTSA IS 3523 ID & Incident Response

Network Based IDS

• Some detect intrusions after the bad guy is inside….but at least you know

• Others detect attacks (attack detect systems)• Location in architecture determines which one you have• Number of IDSes in architecture can add protetection• Balance comes between being inundated with false

alarms or alert conditions requiring action• Ideal NIDs installation: start buy adding as few sensors

as possible

UTSA IS 3523 ID & Incident Response

Host based IDS

• Setup a HIDs like a selective burglar alarm• Deploy HIDs on critical servers devoid of

interactive users• Configuration optios

– Critical file modification– When log files get smaller– Process table grows larger than normal or too fast

UTSA IS 3523 ID & Incident Response

What the different levels of IDS do

• Host-based Intrusion Detection– Will catch users logged directly into a system– Will miss network actions (the network as a whole)

• Network-based Intrusion Detection– Will miss individual actions on the host the user is

logged directly into.– Will be able to see attacks on multiple hosts (“door

knob rattling”).– Where do you place the IDS? On the LAN or on the

outside of the router (the connection to the Internet)?

UTSA IS 3523 ID & Incident Response

Log/Event Monitoring

File IntegrityChecking

Network TrafficMonitoringSystem

Monitoring

PolicyCompliance

Ref: Rasmussen, ISSA, Mar 02

Five Functional Areas of HIDS

UTSA IS 3523 ID & Incident Response

And what about IDS and the PSTN?

• Two aspects– Detection of intrusions into the IP network

from the PSTN– Detection of intrusions into the PSTN and its

systems

• Do you– Have a separate system, or– Feed current IDS with data from the PSTN?

UTSA IS 3523 ID & Incident Response

Strengths of IDSes

• Monitor and analysis of system events and user behaviors

• Testing security states of system configurations• Recognizing known attack patterns• Recognizing anomalies• Measuring security policy enforcement• Managing Data Flow

UTSA IS 3523 ID & Incident Response

Weaknesses of IDSes

• Compensating for weak or missing security mechanisms

• Instantaneous detection, reporting, and attack response

• Detecting newly published attacks• Compensating for info source fidelity• Reducing manpower needs

UTSA IS 3523 ID & Incident Response

IDS Adjusted Expectations

• Consider a building with motion detectors– Works great when building is empty– But if activated during day many false positives– Building managers don’t expect them to work

during the day

• Its possible to set up network-based IDS (NIDS) and a host-based IDS (HIDS) to limit false positives

UTSA IS 3523 ID & Incident Response

Monitoring and the Law• Issue is expectation of privacy – does the

individual have one?• You generally need to inform individuals using the

system that their actions are subject to monitoring.– Government systems have the warning banner.– This advice also issued by CERT (CA-92:19) for

anybody wanting to monitor keystrokes.• Note that it is considered not enough to notify all

authorized users (when they are issued their initial password for example), it must be displayed each time at login.

UTSA IS 3523 ID & Incident Response

An IDS Taxonomy• 1. Source of Audit• 2. Layout Technology• 3. Data Processing• 4. Structure or Arrangment• 5. Data Collection• 6. Time of Detection

• 7. Intrusion Prevention• 8. Detection Paradigm• 9. Detection Technique• 10. Response Type• 11. Placement of IDS• 12. Usage Frequency

Ref: IDS Taxonomy, Data & Analsys Center for SoftwareJune 2010, Amer and Hamilton

UTSA IS 3523 ID & Incident Response

IDS Fad

• “ People buy the hottest IDS tool that will be very good about telling them about DOS in the network, but is useless detecting problems inside the host.”

• Matt Bishop, UC Davis

UTSA IS 3523 ID & Incident Response

Summary

• Detection of Incidents• Basic IDS Model-History• IDS Types and Classification