1. Distributed Intrusion Detection Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay

2. Overview  What is intrusion ?  Dealing with intrusion  Intrusion detection principles  Our problem definition  Packages analyzed  Our approach  Experiments and Results  Conclusions

3. What is intrusion ?  The potential possibility of a deliberate unauthorized attempt to: 1.Access information 2.Manipulate information 3.Render a system unreliable or unusable  Types of intrusions: –External attacks Password cracks, network sniffing, machine & services discovery utilities, packet spoofing, flooding utilities, DOS attacks –Internal penetrations – Masqueraders, clandestine users –Misfeasors – authorized misuse

4. Example attacks  Password cracking  Buffer overflow  Network reconnaissance  Denial of service (DoS)  IP spoofing

5. Dealing with intrusion  Prevention –isolate from n/w, strict auth, encryption  Preemption –“do unto others, before they do unto you”  Deterrence –dire warnings: “we have a bomb too”  Deflection –diversionary techniques to lure away  Counter measures  Detection

6. Intrusion Detection principles  Anomaly-based –Form an opinion on what constitutes “normal”, and decide on a threshold to flag as “abnormal” –Cannot distinguish illegal from abnormal  Signature-based –Model signatures of previous attacks and flag matching patterns –Cannot detect new intrusions  Compound

7. System characteristics  Time of detection  Granularity of data processing  Source of audit data  Response to detected intrusions –passive v/s active  Locus of data-processing  Locus of data-collection  Security  Degree of inter-operability

8. Host-based v/s Network-based IDS  Host-based IDS 1.Verifies success or failure of an attack 2.Monitors specific system activities 3.Detects attacks that n/w based systems miss 4.Well-suited for encrypted and switched environments 5.Near-real-time detection and response 6.Requires no additional hardware 7.Lower cost of entry

9. …contd.  Network-based IDS 1.Lower cost of ownership 2.Detects attacks that host-based systems miss 3.More difficult for an attacker to remove evidence 4.Real-time detection and response 5.Detects unsuccessful attacks and malicious intent 6.Operating system independence 7.Performance issues

10. Our problem definition  Portscanning  Our laboratory setup –Multiple machines with similar configuration  Portscan on a single machine  Distributed portscan - Small evasive scans on multiple machines  Aim – Detect such distributed scans

11. Typical lab setup

12. Types of Portscans  Scan types: –TCP connect() scan –Stealth SYN scan –Stealth FIN scan –Xmas scan –Null scan  Scan sweeps: –One-to-one, one-to-many, many-to-one, many- to-many

13. SourceTargetNetwork Messages Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send ACK y+1 Receive ACK segment Send ACK+FIN+RST Receive ACK+FIN+RST … more packet exchanges Normal sequence of packets

14. SourceTargetNetwork Messages Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send RST Receive RST Stealth SYN scan

15. SourceTargetNetwork Messages Stealth FIN scan Send FIN Receive FIN

16. SourceTargetNetwork Messages Stealth Xmas scan Send FIN+PSH+URG Receive FIN+PSH+URG

17. Packages analyzed  Sniffit (http://sniffit.rug.ac.be/sniffit/sniffit.html)http://sniffit.rug.ac.be/sniffit/sniffit.html –A network sniffer for TCP/UDP/ICMP packets –Interactive mode  Tcpdump (http://www.tcpdump.org)http://www.tcpdump.org –A tool for network monitoring and data acquisition  Nmap (http://www.nmap.org)http://www.nmap.org –“Network mapper” for network exploration, security auditing –Various types of TCP/UDP scans, ping scans

18. …contd  Portsentry (http://www.psionic.com/abacus/portsentry)http://www.psionic.com/abacus/portsentry –Host-based TCP/UDP portscan detection and active defense system –Stealth scan detection –Reacts to portscans by blocking hosts –Internal state engine to remember previously connected hosts –All violations reported to syslog  Snort (http://www.snort.org)http://www.snort.org –Network-based IDS – real-time analysis and traffic logging –Content searching/matching to detect attacks and probes – buffer overflows, CGI attacks, SMB probes, OS fingerprinting attacks –Rules language to describe traffic to collect or pass –Alerts via syslog, user files, WinPopUp messages –3 functional modes – sniffer, packet logger, NIDS

19. …contd  Portsentry –Binds to all ports to be monitored –A static “list” of ports monitored –State engine – different hosts  Snort –Preprocessor – connections to P ports in T seconds –V1.8 – only one-to-one and one-to-many portscans detected

20. Our approach  Pick up network packets  Based on which type of portscan is to be analyzed, identify the scan signature  Add each source and target IP address, to the correlation lists  Use the correlation lists to infer the scan sweep – one-to-one, one-to-many, many-to- one, many-to-many

21. Experimental Setup

22. Detection algorithm  Examine each TCP packet on the network.  Extract source and target IP addrs and ports.  For each scan type to be detected, maintain a list of “valid” connections.  When a scan signature is detected, add source and target IP addrs to 2 correlation lists pointed to by srcIP and tarIP, remove entry from connections list.

23. …contd  Identical correlation lists record source and target IP addrs info, along with number of scans.  Scan sweeps one-to-one, one-to-many, many-to-one, and many-to-many are detected by passes thru the correlation lists.

25. Experiments SourceTargetTCP ports pro-13pro-1925, 119 pro-15pro-2121, 23, 80 pro-17pro-2322, 79 SourceTargetTCP ports pro-13pro-19 pro-21 pro-23 7, 20, 21 22, 23, 25, 53 69, 79, 80, 88 pro-15pro-19 pro-21 110, 111, 119 139, 143, 194, 220 One-to-one scan One-to-many scan

26. …contd SourceTargetTCP ports pro-13pro-21443, 513, 518 pro-15pro-21873, 3130, 6667 pro-17pro-21107, 20, 21, 23 SourceTargetTCP ports pro-13pro-19 pro-21 pro-23 7, 20, 21, 79 80, 113, 119, 139 143, 194, 667 pro-15…… pro-17…… Many-to-one scan Many-to-many scan

27. Conclusions  All the scans performed by nmap were detected successfully by our detector and the correlations were accurate.  Some stray incidents of ident lookups did get classified as scans, due to the way closed ports behave.