Overview What is intrusion ? Dealing with intrusion Intrusion detection principles Our problem definition Packages analyzed Our approach Experiments and Results Conclusions
What is intrusion ? The potential possibility of a deliberate unauthorized attempt to: 1.Access information 2.Manipulate information 3.Render a system unreliable or unusable Types of intrusions: –External attacks Password cracks, network sniffing, machine & services discovery utilities, packet spoofing, flooding utilities, DOS attacks –Internal penetrations – Masqueraders, clandestine users –Misfeasors – authorized misuse
Example attacks Password cracking Buffer overflow Network reconnaissance Denial of service (DoS) IP spoofing
Dealing with intrusion Prevention –isolate from n/w, strict auth, encryption Preemption –“do unto others, before they do unto you” Deterrence –dire warnings: “we have a bomb too” Deflection –diversionary techniques to lure away Counter measures Detection
Intrusion Detection principles Anomaly-based –Form an opinion on what constitutes “normal”, and decide on a threshold to flag as “abnormal” –Cannot distinguish illegal from abnormal Signature-based –Model signatures of previous attacks and flag matching patterns –Cannot detect new intrusions Compound
System characteristics Time of detection Granularity of data processing Source of audit data Response to detected intrusions –passive v/s active Locus of data-processing Locus of data-collection Security Degree of inter-operability
Host-based v/s Network-based IDS Host-based IDS 1.Verifies success or failure of an attack 2.Monitors specific system activities 3.Detects attacks that n/w based systems miss 4.Well-suited for encrypted and switched environments 5.Near-real-time detection and response 6.Requires no additional hardware 7.Lower cost of entry
…contd. Network-based IDS 1.Lower cost of ownership 2.Detects attacks that host-based systems miss 3.More difficult for an attacker to remove evidence 4.Real-time detection and response 5.Detects unsuccessful attacks and malicious intent 6.Operating system independence 7.Performance issues
Our problem definition Portscanning Our laboratory setup –Multiple machines with similar configuration Portscan on a single machine Distributed portscan - Small evasive scans on multiple machines Aim – Detect such distributed scans
Typical lab setup
Types of Portscans Scan types: –TCP connect() scan –Stealth SYN scan –Stealth FIN scan –Xmas scan –Null scan Scan sweeps: –One-to-one, one-to-many, many-to-one, many- to-many
SourceTargetNetwork Messages Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send ACK y+1 Receive ACK segment Send ACK+FIN+RST Receive ACK+FIN+RST … more packet exchanges Normal sequence of packets
SourceTargetNetwork Messages Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send RST Receive RST Stealth SYN scan
SourceTargetNetwork Messages Stealth FIN scan Send FIN Receive FIN
Packages analyzed Sniffit (http://sniffit.rug.ac.be/sniffit/sniffit.html)http://sniffit.rug.ac.be/sniffit/sniffit.html –A network sniffer for TCP/UDP/ICMP packets –Interactive mode Tcpdump (http://www.tcpdump.org)http://www.tcpdump.org –A tool for network monitoring and data acquisition Nmap (http://www.nmap.org)http://www.nmap.org –“Network mapper” for network exploration, security auditing –Various types of TCP/UDP scans, ping scans
…contd Portsentry (http://www.psionic.com/abacus/portsentry)http://www.psionic.com/abacus/portsentry –Host-based TCP/UDP portscan detection and active defense system –Stealth scan detection –Reacts to portscans by blocking hosts –Internal state engine to remember previously connected hosts –All violations reported to syslog Snort (http://www.snort.org)http://www.snort.org –Network-based IDS – real-time analysis and traffic logging –Content searching/matching to detect attacks and probes – buffer overflows, CGI attacks, SMB probes, OS fingerprinting attacks –Rules language to describe traffic to collect or pass –Alerts via syslog, user files, WinPopUp messages –3 functional modes – sniffer, packet logger, NIDS
…contd Portsentry –Binds to all ports to be monitored –A static “list” of ports monitored –State engine – different hosts Snort –Preprocessor – connections to P ports in T seconds –V1.8 – only one-to-one and one-to-many portscans detected
Our approach Pick up network packets Based on which type of portscan is to be analyzed, identify the scan signature Add each source and target IP address, to the correlation lists Use the correlation lists to infer the scan sweep – one-to-one, one-to-many, many-to- one, many-to-many
Detection algorithm Examine each TCP packet on the network. Extract source and target IP addrs and ports. For each scan type to be detected, maintain a list of “valid” connections. When a scan signature is detected, add source and target IP addrs to 2 correlation lists pointed to by srcIP and tarIP, remove entry from connections list.
…contd Identical correlation lists record source and target IP addrs info, along with number of scans. Scan sweeps one-to-one, one-to-many, many-to-one, and many-to-many are detected by passes thru the correlation lists.
Conclusions All the scans performed by nmap were detected successfully by our detector and the correlations were accurate. Some stray incidents of ident lookups did get classified as scans, due to the way closed ports behave.