5/1/2006Sireesha/IDS3 Network Attacks With ever-increasing Internet enabled services, a computer network should be guarded against network attacks. A few network threats –Worms Self-propagating malicious code, automatic distribution via network connections –Virus Self-replication code. Can be attached to any host application –Denial of Service Overloading of resources making them unavailable to legitimate users.
5/1/2006Sireesha/IDS4 IDS Details - Why an IDS? Firewalls - Though a valid first step, not enough –Attacks can happen before its rules are updated. –Laptops can be infected outside the network and then brought in. –Wireless accesses into a network. Benefits –Detection of Attacks –Enforcing policies –Audit trails
5/1/2006Sireesha/IDS5 IDS Details - Types Two types of IDS –Network-based IDS (NIDS) Analyze packets coming across a network connection. Logs for after attack analysis Real time alerts –Host-based IDS (HIDS) Monitors a single system File integrity checks Analyze system logs for unusual activities - multiple login attempts
5/1/2006Sireesha/IDS6 IDS Details - Detection Techniques Two techniques –Signature based Maintain a store of known attack signatures. Analyze new traffic against the contents of the store Only known attacks can be detected, so first occurrence of a new attack cannot be detected. –Anomaly based Create and maintain a profile based on normal behavior. Analyze new traffic against a model profile. New attacks can be detected.
5/1/2006Sireesha/IDS7 IDS Details - Performance Performance –Measured in terms of False positives –Alert generated on traffic that is not an attack. –Alert generated on attack not intended for the system being monitored. False negatives –Alerts not generated for real attacks. –Most dangerous leading to undetected attacks.
5/1/2006Sireesha/IDS8 Snort Open Source, Signature detecting, Network based IDS Passive - No changes required for the system being monitored. Versatile - Can be used as IDS, IPS (Intrusion Prevention System), Inline firewall. Available for all major operating systems. Logging to Oracle, SQL, MySQL, PostGre SQL Rules are very simple, easy to develop and effective.
5/1/2006Sireesha/IDS9 Snort Packet Processing A packet capture library captures raw data form network card and sends it to Snort. Snort decodes the packets based on protocol. Preprocessors applied to normalize traffic. Normalized traffic passed through detection engine. Alert generated if traffic matches a rule.
5/1/2006Sireesha/IDS10 Snort - Rules Snort Rule –Header Rule Action (log, alert, pass …) Protocol (IP, ICMP,TCP,UDP) Source Address and Port Flow Destination Address and Port –Body Output message Additional tests –Example alert tcp 192.168.1.18/32 any -> any 1:1023 (msg :”eBaying”; uricontent:”ebay.com”;)
5/1/2006Sireesha/IDS11 Research for enhancements Enhancement goals –Extend Snort to include a automatic signature generation component. –Extend Snort to detect anomaly based intrusions.
5/1/2006Sireesha/IDS12 Semantics-Aware Signatures Nemean -- Automatic generation of intrusion signatures from honeynet packet traces. –Aggregate and transform the packet trace into well-defined data structures and group packets into sessions and flows. –Generate clusters of sessions based on similarity analysis. –Normal traffic will not result in a cluster formation. –A cluster generated represents a single attack. Slight variations are accounted for. –An attack signature is generated from the generated clusters. Usenix security 2005 symposium
5/1/2006Sireesha/IDS13 Anomaly Detection Payload based Anomaly detection. Operates in two phases –Learning Phase A profile of expected payload is constructed during the normal operation by using a byte frequency distribution analysis of the payload. –Anomaly Detection Phase Incoming payload is compared against the profile. Statistical distributions are compared and alert generated when the comparison yields greater than a threshold value. Resistant to mimicry attacks, since payloads are compared.
5/1/2006Sireesha/IDS14 Resources Snort Page : www.snort.org Anomaly Detection on ITArchitect http://www.itarchitect.com/showArticle.jh tml?articleID=163700677 More links to resources available in the project report.