1. Stephen S. Yau CSE 465-591, Fall 2006 1 Intrusion Detection

2. Stephen S. Yau CSE 465-591, Fall 2006 2 Intruders Gain hostile or unwanted access to the system. Either local or via network Varying levels of competence May seem benign May use compromised system to launch other attacks Aim to increase their own privileges on system

3. Stephen S. Yau CSE 465-591, Fall 2006 3 Types of Intruders Masquerader: usually an outsider, not authorized to use the system, but penetrates the system through legitimate user account Misfeasor: usually an inside legitimate user who accesses assets not authorized, or is authorized but misuses privileges Clandestine user: an insider or outsider user who has supervisory access to the system

4. Stephen S. Yau CSE 465-591, Fall 2006 4 Intrusion Techniques Basic attack methodology –Take possession of target machine and gather unauthorized information –Obtain initial access –Escalate privileges –Remove traces of intrusion Main goal is to acquire passwords

5. Stephen S. Yau CSE 465-591, Fall 2006 5 Why Need Intrusion Detection? Security failures are inevitable Need to detect intrusions –Blocked if detected quickly –Act as deterrent –Collect information to improve security Data within organization is often more important than the network itself –Commerce, Government, Business, and Academia

6. Stephen S. Yau CSE 465-591, Fall 2006 6 Intrusion Detection System Types of IDS –Host-based IDS –Network-based IDS T1: ch22 T2: ch25

7. Stephen S. Yau CSE 465-591, Fall 2006 7 Host-based IDS Use OS auditing mechanisms e.g., logs all direct or indirect events generated by a usere.g., logs all direct or indirect events generated by a user Monitor user activities e.g., Analyze shell commandse.g., Analyze shell commands Monitor executions of system programs e.g., Analyze system calls made by sendmaile.g., Analyze system calls made by sendmail Involve monitoring of –communications in and out of a machine –integrity of system files –processes running

8. Stephen S. Yau CSE 465-591, Fall 2006 8 Examples of Host-based IDS Black Ice (http://www.networkice.com) http://www.networkice.com –Windows Operation System Zone Alarm (http://www.zonealarm.com) http://www.zonealarm.com –Windows Operation System Internet Security Systems (ISS) RealSecure (http://www.iss.net) http://www.iss.net –Windows and Unix Operating System Linux Intrusion Detection Systems (LIDS) (http://www.lids.org) http://www.lids.org –Linux Operating System

9. Stephen S. Yau CSE 465-591, Fall 2006 9 Strengths and Drawbacks of Host-based IDS Strengths: –Easy attack identification –Can monitor key components –Near real-time detection and response. –No additional hardware needed Drawbacks: –Type of information needed to be logged in is a matter of experience. –Unselective logging of messages may greatly increase audit and analysis burdens. –Selective logging has risk that attack manifestations be missed.

10. Stephen S. Yau CSE 465-591, Fall 2006 10 Network-based IDS Deploy special sensors at strategic locations e.g., Packet sniffing via tcpdump at routerse.g., Packet sniffing via tcpdump at routers Inspect network traffic Watch for violations of protocols and unusual connection patternsWatch for violations of protocols and unusual connection patterns Monitor user activities Look into data portions of packets for malicious command sequencesLook into data portions of packets for malicious command sequences Monitor packets for some sort of signature as they pass a sensor

11. Stephen S. Yau CSE 465-591, Fall 2006 11 Common Network Signs of Intrusion Detection String –Look for a text string that indicates a possible attack. Port –Watch for connection attempts to well-known frequently attacked ports. Header –Look for suspiciously dangerous or illogical combinations of packets and headers. –Example: Winnuke, where a packet is destined for NetBIOS port, and Urgent pointer or Out Of Band pointer is set, resulting in "blue screen of death" for Windows systems.

12. Stephen S. Yau CSE 465-591, Fall 2006 12 Some Examples of Network-based IDS Internet Security Systems (ISS) RealSecure (http://www.iss.net) http://www.iss.net –Windows and Unix Operating System Snort (http://www.snort.org) http://www.snort.org –Open Source –Windows and Unix Operating System Cisco NetRanger (http://www.cisco.com) http://www.cisco.com –Unix Based Appliance Intrusion Detection System

13. Stephen S. Yau CSE 465-591, Fall 2006 13 Strengths and Drawbacks of Network-based IDS Strengths: –Cost of ownership reduced –Packet analysis feasible –Real time detection and response –Malicious intent detection before real intrusion happens –Operating system independence Drawbacks: – –Packets can be lost on flooded networks; Reassemble packets could be incorrect and trigger false alarm – –Not handle encrypted data –Depending on network architecture –High false-positive –Configuration needs expertise –Privacy compromised

14. Stephen S. Yau CSE 465-591, Fall 2006 14 NIDS Hybrid of Network-based and Host-based IDS HIDS Internet

15. Stephen S. Yau CSE 465-591, Fall 2006 15 Intrusion Detection Techniques Profile-basedSignature-based –Rule-based –State Transition Analysis –Pattern Matching

16. Stephen S. Yau CSE 465-591, Fall 2006 16 ID Techniques – Profile-based Profile: identification of subjects and their normal behavior Subject: a user account, a service, a group, or a network domain, etc. Approaches: –Intrusion Detection Expert System (IDES) –Wisdom and Sense (W & S) –Specification-based Advantages: easy to implement; capable of detecting new intrusion scenarios Disadvantage: high false alarms

17. Stephen S. Yau CSE 465-591, Fall 2006 17 ID Techniques – Signature-based Find specific event sequences (signatures) by scanning system activities Event: a generic system activity, such as deleting a file, sending an e-mail Types: –Rule-based –State-transition analysis –Pattern matching Can detect known intrusion patterns efficiently, but not unknown intrusion patterns and variants of intrusion signatures.

18. Stephen S. Yau CSE 465-591, Fall 2006 18 Rule-based Intrusion Detection Based on expert system Most basic signature-based IDS “If condition, then action” –Condition specifies constraints on audit record –Action specifies action to be taken if condition is satisfied.

19. Stephen S. Yau CSE 465-591, Fall 2006 19 Rule-based Intrusion Detection (cont.) Observe events happening on system Apply rules to decide if activity is suspicious Rule-based Anomaly Detection: –Generating rules involves analysis of audit data and identification of usage patterns –Observe current data and match data against rules to see if it conforms to abnormal behavior Example: If a server finds that 40 % of the packets received are Internet Control Message Protocol (ICMP) echo requests from diverse sources, it may be regarded as a DoS attack. Rule: Percentage of echo request in ICMP >= 40%  DoS attack happens

20. Stephen S. Yau CSE 465-591, Fall 2006 20 Strengths and Drawbacks of Rule-based Intrusion Detection Strengths: –The inference engine is simple –The system is powerful to detected intrusion specified in those rules –Easy to implement Limitations –Direct dependence on audit records. –Rules are created using audit records of known penetrations. Slight variations in attacks could make penetration undetected. –If someone changes audit trail, penetration may not be detected. –Difficult for distributed processing

21. Stephen S. Yau CSE 465-591, Fall 2006 21 State Transition Analysis State is a snapshot of the system with all the volatile and permanent memory locations. –State represents some attribute of system – not whole system state –State is generic, e.g. “user is root now” Transition is an action that will make state changed. Penetration is viewed as a sequence of actions performed by an attacker that leads from an initial state to a compromised (insecure) state. –Penetration sequence represented by finite state machine node is a state arc is an action (or transition) Signature actions are a sequence of identified actions which will trigger transition from one state to another.

22. Stephen S. Yau CSE 465-591, Fall 2006 22 State Transition Analysis (cont.) Information retrieved from audit data are represented graphically in State Transition Diagram As actions of an intrusion are completed one by one, the target machine changes its state from one state to another when certain actions are performed. When the machine changes from some normal state to a compromised state, an intrusion is detected and reported

23. Stephen S. Yau CSE 465-591, Fall 2006 23 Strengths and Drawbacks of State Transition Analysis Strengths: –State Transition Analysis identifies a number of signature actions and represents them visually. –State Transition Diagram identifies precisely the requirements and penetrations –Lists of actions that must occur for completion of certain penetration. –Provide efficient reasoning support. Drawbacks: –It cannot represent complex intrusion scenarios.

24. Stephen S. Yau CSE 465-591, Fall 2006 24 Pattern Matching Approach Each intrusion signature is represented as a Petri net –A Petri net is a graphical and mathematical modeling tool. It consists of places, transitions, and arcs that connect them. Input arcs connect places with transitions, while output arcs start at a transition and end at a place. –Has strong expressive power (Reference: James L. Peterson, “Petri Net theory and modeling of systems (Reference: James L. Peterson, “Petri Net theory and modeling of systems”)

25. Stephen S. Yau CSE 465-591, Fall 2006 25 Pattern Matching Approach (cont.) Characteristics of patterns used to model attacks –Linearity: Specifies a sequence of events comprising the signature pattern which is a sequence of events without conjunction and disjunction. –Unification: Instantiates variables to earlier events and matches these events to later occurring events. –Occurrence: Specifies the relative placement in time of an event with respect to the previous events. –Beginning: Specifies the absolute time of match of the beginning of a pattern. –Duration: Specifies constraints on the time duration for which the event must be active. Reference: S. Kumar, E. H. Spafford, “An Application of Pattern Matching in Intrusion Detection” http://www.csee.umbc.edu/cadip/docs/NetworkIntrusion/pattern.pdf

26. Stephen S. Yau CSE 465-591, Fall 2006 26 Pattern Matching Approach (c ont.) Use Petri nets to capture –Each signature corresponds to a particular Petri net automaton –Nodes represents tokens; edges represents transitions –Final state of signature is a compromised state Generate an intrusion pattern 1.Identify existence of files or other entities created by an attacker 2.Identify a sequence of events 3.Identify two or more sequences of events under temporal relation 4.Identify duration of events 5.Identify interval of events

27. Stephen S. Yau CSE 465-591, Fall 2006 27 Strengths: –Rule based sequential patterns detect anomalous activities that are difficult using traditional methods. –Systems built using this model are highly adaptive to changes by users; if a new pattern found, it is easier to define it by Petri net. –Anomalous activities detected and reported within seconds of receiving audit events. Drawbacks: –Requires experience to generate rules –Difficult to verify the completeness set of rules Strengths and Drawbacks of Pattern Matching Approach

28. Stephen S. Yau CSE 465-591, Fall 2006 28 References Matt Bishop,, Addison- Wesley, 2004, ISBN: 0321247442 (textbook1) Matt Bishop, Introduction to Computer Security, Addison- Wesley, 2004, ISBN: 0321247442 (textbook1) Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN: 0201440997 (textbook2) M. Merkow, J. Breithaupt, Information Security: Principles and Practices, Prentice Hall, August 2005, 448 pages, ISBN 0131547291 James L. Peterson, “Petri Net theory and modeling of systems James L. Peterson, “Petri Net theory and modeling of systems” S. Kumar, E. H. Spafford, “An Application of Pattern Matching in Intrusion Detection”. Available at: http://www.csee.umbc.edu/cadip/docs/NetworkIntrusion/patte rn.pdf