Intrusion Detection
• Definition:
– Detection of an attack
• While it is going on
• Shortly after it has occurred
Intrusion Detection
• Goal:– To thwart the attack– Conduct forensic investigation– Minimize damage– Learn how attack was conducted and improve
system security
Intrusion Detection
• General Theory behind ID– Actions of normal system processes and users
conform to a pattern that can be defined mathematically
– Users and processes are not trying to break the system
– Users and processes have a set of defined privileges and actions
Intrusion Detection
• In order to do intrusion detection build a system that monitors for changes in the previous assumptions
• Example – 90 % of cpu usage occurs between 8-5pm
– Users don’t usually browse the password files
– More than 3 failed login attempts my be an attack because users usually log in on the first time
Intrusion Detection
• Attack tools are– How systems are usually attacked– Are usually a piece of existing software– Are generally automated
• Want volume in an attack• Want to look at many computers and find a few that
are not secure• Want the computer to do the bulk of the work on the
attack
Intrusion Detection
• Example of Attack Tool– Root kits
• Replace existing operating system file
• Sniff passwords and network connections
• Run with root privilege
• E.g. ls, du, netstat, ifconfig (network device configurations)
• Run concealed
• Allow access to the hacker through a back door
• Denning – Hypothesis that exploitation of vulnerabilities
requires abnormal use of existing commands– Therefore look for abnormality in command
usage on system– Key idea behind detection
Intrusion Detection
Intrusion Detection
• Intrusion Detection Systems (IDS)– An automated system that looks for abnormal
patterns in:• system commands,
• usages
• Volumes
• Access to locations in system
• Failures
Intrusion Detection
• An IDS must be automated because– System logs contain tons and tons of
information– Often looking for 5-20 abnormal changes in
5000 lines of data– Slow attacks even worse to detect because
• Actions happen over extended period of times
• Logs don’t show adjacent sequences of activities
Intrusion Detection
• Good IDS has 4 characteristics (Bishop)– Detects a wide variety of attacks
• Not as simple as it sounds
• How can you detect an attack if you don’t know how it works and have never seen one before
• Class Ideas ?
Intrusion Detection
• Good IDS’s have 4 characteristics– Detect attacks in timely fashion
• How fast is fast enough
• Discussion ?
• Real time systems may bog down processing– Which is an attack in its own right
– A denial of service attack
Intrusion Detection
• Good ID’s have 4 characteristics– Must present analysis in a clear simple format
• Problems:
• False Positives– Thinks an attack is going on when it really is not
• False Negatives– Does not think an attack is going on when it really is
Intrusion Detection
• Good ID’s have 4 characteristics– Must be accurate
• The false X problem previous slide
– We only want to respond to the real stuff because:
• Time consuming
• May lead to actions that damage system without cause
• Draws resources away from dealing with a real attack that could start as you are investigating
Intrusion Detection
• Three systems models for an IDS
– Anomaly detection– Misuse detection– Specification detection
• new
Intrusion Detection
• Anomaly detection– Assumes that unexpected behavior is evidence
of an attack– Compare set of variables and their values to a
known set of variables– Tries to reason about an attack based on data
does not match– Usually done with statistics but could be done
with other variable techniques also
Intrusion Detection
• Anomaly Detection – Threshold approach
• When an variable(s) are above a certain level determine an attack
• Example:– number of failed logins for a given user id in 10 minutes
– disk usage
– # of packets on port x in time period n
Anomaly Detection
• Threshold approach problems– Users have different skill levels
• Example an asian user of an english comptur system
• Class ?
– One threshold generally applied to all– However approach can penalize new users by
locking them out of the system
Anomaly Detection
• Statistical Moment Approach– Instead of setting a threshold, calculate:
• Average
• Means
• Standard deviations
– Look for deviations from these variable
Anomaly Detection
• Statistical Moment Approach– Problems
• Data may change over time in unexpected ways– New users– Users become smarter
• Need to age data somehow to show how system is changing
• How do we do this ?• Generally a better system than thresholds• May use an expert system (Haystack, IDES)
Anomaly Detection
• State Machine Model – Series of events occur in regular sequences
– Certain events are more like to follow other events – state transitions
– When a low probability transition occurs then it is probably anomalous
– Draw: login, cd home dir -> open word processor
– Can be utilized in system calls: open, read, write, close
Anomaly Detection
• State Machine– Problems
• Need to know the events and sequences ahead of time
• Need training data
• System may change based on addition of new software
• Can only be run on the computer from which the training data is derived
Anomaly Detection
• What features and data variables to watch is critical in the success of AD
• Frank demonstrated that selection of the “best” features for a network activity classification program could be based on eliminating features based on the error rate they induce in classification of activity– He found that about 5 features was right for his study
Anomaly Detection
• Generally assumes a gaussian distribution– A bell curve that shows what is normal
• Some systems may cluster data by related values such as “read time” for a file and “cpu usage” for the read– Outliers – values that don’t fit into a cluster then can be
an attack
– Draw
Misuse Detection
• An attack by an insider who generally has authorized access
• Is rule based
• Looks for sequences of commands that knowing violate policy
• Example
Misuse Detection
• Rules are placed into a rule set
• Ids processes rules against system logs looking for violations of the rules
• Often involve expert systems because rules can be ambigous
Misuse Detection
• Cant detect attacks that are unknown – the attacks sequence of rule violations is not
known
• Can enhance systems to make them adaptive via petri nets
Misuse Detection
• IDIOT – Spafford, uses petri nets• Defines
– events – a change in system state• a record of the event
– transitions from one state to another on an event– transitions may have tests (guards) that check for
existence of variables in certain states and / or make assignments
– Can have separate transition branches that merge– Draw
Misuse Detection
• IDIOT classified attacks by categories:– existence – attack creates a file– sequence – attack causes several events to
occur sequentially– partial order – attack causes two or more
sequences of events that form an ordering over time
– interval – two events occur exactly n units of time apart
Misuse Detection
• IDIOT– monitors audit trail logs– STAT a similar system
• Ilgun
• No guards
• uses state tables
• looks at the sequence of command to e.g. get a forbidden priveledge
Specification Modeling
• Misuse detection looks for states known to be bad
• Specification modeling looks for states known to not be good – a possible intrusion
• Builds specifications for how a program should run
• Examines program for deviations from good states
Specification Modeling
• Ko developed a specification based IDS
• Monitored 15 security related programs
• Monitored on things like:– object access– synchronization of data– sequences of commands– race conditions
Specification Modeling
• They looked at rdist (remote distribution)
• Rdist updates programs on remote systems
• Problem is that rdist modifies permissions on files– replacing a file with a symbolic link to another
file, can get rdist to change permissions on that file
Specification Modeling
• SM – utilizes grammars to specify actions– grammars define acceptable activities– is a relatively new field– because it specifies what should happen
• unknown attacks can be detected
– Class drawbacks ?
Summary
• Misuse detection – detects violations of policy, implicit or explicit– need to develop rules, states, actions etc.– must have in a rule base– only detects attacks that are known
Summary
• Anomaly Detection– detects policy violations also– little more generalized than Misuse detection– uses statistics to find deviations
Summary
• Specification Modeling– must have rules for how a good program is
operating– need experts to define rules– can detect unknown attacks
Architecture
• IDS works off of audit trails
• Audit trails found in logs
• Best to collect log data from all over the system due to distributed attacks
• Generally constructed in 3 subsystems
Architecture
• Agent– an relatively autonomous piece of software that
collects data from a local machine– may format the data
• why ?
– sends the data to a centralized system– may weed data that is not deemed to be
important
Architecture
• Agents can be:– host based
• utilize system and application logs
• may be security logs or accounting logs
• a virtual agent can be in the kernel and write data to logs it finds interesting
• logs can be very large
Architecture
• Agents can be – networked based
• use devices and software to monitor network traffic
• used to detect network based attacks
• utilize sniffing
• monitor contents of packets
• must be arranged in a way to provide full network coverage
• encipherment makes this task a problem
Architecture
• Agents send formatted information to the director software
• Directors– eliminate unnecessary log entries – utilize an analysis engine to find attacks– usually are run on a separate system– adaptive directors may alter search rules (neural
network)
Architecture
• Notifier– accepts information from the director and takes
appropriate action– may notify a security officer via a gui– may be proactive in combating an attack
Systems to Look At
• Courtney – monitors for use of SATAN• SATAN – system for finding weaknesses in
Unix• IDIP – coordinates IDS’s on firewalls to
block attacks• NSM – develops profiles of system usage
and compares against profiles e.g. repeated telnet connections of short duration
Systems to Look At
• DIDS – distributed IDS based on NSM and works in conjunction with host based IDS’s– NSM is network based only
• AAFID – autonomous agents that report data, distributes components of IDS into pieces– eliminates a single point of failure, director is
distributed
Incident Response
• Ideally you want to – detect attack as it starts– take defensive measures– work automatically– can be very system resource intensive
• why ?
Incident Response
• Definition:– Jailing
• placing an attacker in a confined area of the system
• letting them think that they are inside the system
• allows one to observe the hacker
• sometimes referred to as a honey pot
• usually has a faked file system
• may intercept system calls and do something (kernel)
Incident Response
• Goal – to restore system to comply with security policy– replace / fix damaged resources
Incident Response
• Six phases:– preparation
• procedures and methods for detection
• backups
– identification• id the attack
• trigger for following phases
Incident Response
• Containment– limits the damage as much as possible– may not be possible if you have a real time
system– attacks generally probe for a while and then do
damage– you can get a chance to contain if you detect
probing
Incident Response
• Eradication– stops attack if done in real time– puts mechanisms in place to thwart other
attacks
• Recovery– restores system to pre atttack configuration– must detect what has been modified
Incident Response
• Response – Follow up– taking action against the attacker
• forensic investigation
• counter attack
• law enforcement
– fixing holes in your system– documentation of lessons learned– documentation of attack details
Details
• Containment– approaches
• passive monitoring – meant to record actions for later use
– examine goals and techniques of hacker
– a honeypot
• constraining actions of hacker– goal to prevent hacker from accomplishing aims
– problem, may not know what the goal is
Details
• Eradication– goal to stop the attack
– must insure it does not resume immediately
– my block attacks by placing wrappers around a suspected target
– wrappers control access
– want to embed wrappers in the kernel to make them hard to bypass
– Example
Details
• Eradication– good to place wrappers at the firewall– firewalls filter network traffic– example– IDIP – intrusion detection and isolation
protocol• are firewalls• work to communicate directly with each other• coordinate a response to an attack
Details
• Follow up – most common is to follow up with legal action– how to trace the attack for follow up
• thumb printing– monitor connections between any two host
– check for similar content moving across the connections
– method allows you to trace back to the source of the attack
– hackers may move through multiple hosts before attacking
– software needs to be small, effective and fast
Details
• Follow Up– may use IP header marking
• examine and mark contents of headers to trace an attack back to source
• don’t want to do this for every packet
• deterministic marking – marks every n packets using an algorithm
• marking is done in extra bits that are not utilized in ip headers
Details
• Follow Up– counter attacking
• filing criminal complaints– requires good chain of evidence to establish that attack
was real – not an accident or error
• technical attack– goal is to damage their system– problems
» may harm innocent parties» may have side effects – denial of service» may get you in trouble legally