Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Intrusion Detection Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay.

Similar presentations

Presentation on theme: "Distributed Intrusion Detection Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay."— Presentation transcript:

1 Distributed Intrusion Detection Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay

2 Overview  What is intrusion ?  Dealing with intrusion  Intrusion detection principles  Our problem definition  Packages analyzed  Our approach  Experiments and Results  Conclusions

3 What is intrusion ?  The potential possibility of a deliberate unauthorized attempt to: 1.Access information 2.Manipulate information 3.Render a system unreliable or unusable  Types of intrusions: –External attacks Password cracks, network sniffing, machine & services discovery utilities, packet spoofing, flooding utilities, DOS attacks –Internal penetrations – Masqueraders, clandestine users –Misfeasors – authorized misuse

4 Example attacks  Password cracking  Buffer overflow  Network reconnaissance  Denial of service (DoS)  IP spoofing

5 Dealing with intrusion  Prevention –isolate from n/w, strict auth, encryption  Preemption –“do unto others, before they do unto you”  Deterrence –dire warnings: “we have a bomb too”  Deflection –diversionary techniques to lure away  Counter measures  Detection

6 Intrusion Detection principles  Anomaly-based –Form an opinion on what constitutes “normal”, and decide on a threshold to flag as “abnormal” –Cannot distinguish illegal from abnormal  Signature-based –Model signatures of previous attacks and flag matching patterns –Cannot detect new intrusions  Compound

7 System characteristics  Time of detection  Granularity of data processing  Source of audit data  Response to detected intrusions –passive v/s active  Locus of data-processing  Locus of data-collection  Security  Degree of inter-operability

8 Host-based v/s Network-based IDS  Host-based IDS 1.Verifies success or failure of an attack 2.Monitors specific system activities 3.Detects attacks that n/w based systems miss 4.Well-suited for encrypted and switched environments 5.Near-real-time detection and response 6.Requires no additional hardware 7.Lower cost of entry

9 …contd.  Network-based IDS 1.Lower cost of ownership 2.Detects attacks that host-based systems miss 3.More difficult for an attacker to remove evidence 4.Real-time detection and response 5.Detects unsuccessful attacks and malicious intent 6.Operating system independence 7.Performance issues

10 Our problem definition  Portscanning  Our laboratory setup –Multiple machines with similar configuration  Portscan on a single machine  Distributed portscan - Small evasive scans on multiple machines  Aim – Detect such distributed scans

11 Typical lab setup

12 Types of Portscans  Scan types: –TCP connect() scan –Stealth SYN scan –Stealth FIN scan –Xmas scan –Null scan  Scan sweeps: –One-to-one, one-to-many, many-to-one, many- to-many

13 SourceTargetNetwork Messages Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send ACK y+1 Receive ACK segment Send ACK+FIN+RST Receive ACK+FIN+RST … more packet exchanges Normal sequence of packets

14 SourceTargetNetwork Messages Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send RST Receive RST Stealth SYN scan

15 SourceTargetNetwork Messages Stealth FIN scan Send FIN Receive FIN

16 SourceTargetNetwork Messages Stealth Xmas scan Send FIN+PSH+URG Receive FIN+PSH+URG

17 Packages analyzed  Sniffit ( –A network sniffer for TCP/UDP/ICMP packets –Interactive mode  Tcpdump ( –A tool for network monitoring and data acquisition  Nmap ( –“Network mapper” for network exploration, security auditing –Various types of TCP/UDP scans, ping scans

18 …contd  Portsentry ( –Host-based TCP/UDP portscan detection and active defense system –Stealth scan detection –Reacts to portscans by blocking hosts –Internal state engine to remember previously connected hosts –All violations reported to syslog  Snort ( –Network-based IDS – real-time analysis and traffic logging –Content searching/matching to detect attacks and probes – buffer overflows, CGI attacks, SMB probes, OS fingerprinting attacks –Rules language to describe traffic to collect or pass –Alerts via syslog, user files, WinPopUp messages –3 functional modes – sniffer, packet logger, NIDS

19 …contd  Portsentry –Binds to all ports to be monitored –A static “list” of ports monitored –State engine – different hosts  Snort –Preprocessor – connections to P ports in T seconds –V1.8 – only one-to-one and one-to-many portscans detected

20 Our approach  Pick up network packets  Based on which type of portscan is to be analyzed, identify the scan signature  Add each source and target IP address, to the correlation lists  Use the correlation lists to infer the scan sweep – one-to-one, one-to-many, many-to- one, many-to-many

21 Experimental Setup

22 Detection algorithm  Examine each TCP packet on the network.  Extract source and target IP addrs and ports.  For each scan type to be detected, maintain a list of “valid” connections.  When a scan signature is detected, add source and target IP addrs to 2 correlation lists pointed to by srcIP and tarIP, remove entry from connections list.

23 …contd  Identical correlation lists record source and target IP addrs info, along with number of scans.  Scan sweeps one-to-one, one-to-many, many-to-one, and many-to-many are detected by passes thru the correlation lists.


25 Experiments SourceTargetTCP ports pro-13pro-1925, 119 pro-15pro-2121, 23, 80 pro-17pro-2322, 79 SourceTargetTCP ports pro-13pro-19 pro-21 pro-23 7, 20, 21 22, 23, 25, 53 69, 79, 80, 88 pro-15pro-19 pro-21 110, 111, 119 139, 143, 194, 220 One-to-one scan One-to-many scan

26 …contd SourceTargetTCP ports pro-13pro-21443, 513, 518 pro-15pro-21873, 3130, 6667 pro-17pro-21107, 20, 21, 23 SourceTargetTCP ports pro-13pro-19 pro-21 pro-23 7, 20, 21, 79 80, 113, 119, 139 143, 194, 667 pro-15…… pro-17…… Many-to-one scan Many-to-many scan

27 Conclusions  All the scans performed by nmap were detected successfully by our detector and the correlations were accurate.  Some stray incidents of ident lookups did get classified as scans, due to the way closed ports behave.

Download ppt "Distributed Intrusion Detection Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay."

Similar presentations

Ads by Google