1. The Role of Intrusion Detection Systems (IDSs) Article Authors: - John McHugh - Alan Christie - Julia Allen Presentation: - Ali Ardalan - October 12 th, 2000

2. Article Overview “This article considers the role of IDS’s in an organization’s overall defensive posture and provides guidelines for IDS deployment, operation & maintenance.”

3. Intrusion Detection Historical Context Yesterday: – Early hackers were simply interested in proving that they could break into systems – 1980, John Anderson’s - Computer Security Threat Monitoring & Surveillance – 1987, Dorothy Denning’s - An Intrusion Detection Model Today: – Hackers of today are motivated by financial, political and military objectives

4. The Evolution of Hacker Capability Attack Sophistication vs. Intruder Technical Knowledge

5. The Two Schools of IDS’s Pattern Matching Strengths - Able to detect industry standard & accepted attacks - Able to easily name & classify attack types - Developing attack signatures for comparison is fairly straight forward - Able to identify previously unseen attacks with similar patterns Weaknesses - Unable to detect truly novel attacks - Constantly suffer from false alarms Anomaly Detection Strengths - Difficult for attackers to mask noise distributions, so as to deter detection - Strong ability to recognize novel attacks Weaknesses - Substantial system training is required - Modifications to the system require re-training & result in false alarms during the interim

6. Phenomenology of IDS’s Network Based What do they do? - Are physically separate network entities - Examines packets on a network segment - Can simultaneously monitor multiple hosts Strengths/Weaknesses? - Easy to deploy & maintain - Have little impact on the system’s performance - Can suffer from performance problems Host Based What do they do? - Operate on an existing network element - Inspects audit or log data to detect intrusive activities - Can simultaneously monitor multiple applications Strengths/Weaknesses? - Detect intrusions that are not externally observable - Can seriously affect host system’s performance - Successful intrusions can disable host based IDS’s

7. A Properly Deployed IDS #1Can recognize both intrusions and DOS activities and invoke countermeasures against them in real time. #2Can provide warnings that the system is under attack, even when not vulnerable. #3Can confirm secure configuration and operation of other security mechanisms such as firewalls. #4Can collect forensic information during an attack allowing for future location & prosecution of intruders.

8. A Suggested Security Solution: Make Intruder Tasks Substantially More Difficult: – Configure inner network sensors to recognize intrusive & unexpected protocols – Place external sensors beyond firewalls to validate firewall rules – Configure host based sensors on servers, looking for abnormal behavior by applications and within the operating system – Install a well designed network of multiple firewalls – Adhere to a clearly defined mission-specific security policy – Remove ability to use all unneeded services – Regularly use of integrity checking tools – Minimize vulnerability by constantly applying updates & patches

9. Architecture for Suggested Solution IDS Management Console Internet Network Sensor Network Sensor Firewall DMZ Web Server Application Server DB Server E-mail Server Host Sensor Intranet Network Sensor Host Sensor Analyzer (Network) Analyzer (Host) Workstations Alerts! Incident Reports!

10. The IDS Landscape Vendors frequently release new IDS products Vendors aggressively compete for market share, buy out each other and discontinue IDS product lines. There are no Industry Standards for Comparison This are very little objective third party evaluations IDS Marketing literature is vague, not clear – Work required to use & maintain IDS systems – Metrics for proper functioning & false alarms…

11. A Sampling of ID Tools Commercial Products * Easier to install & configure due to GUI’s – RealSecure (Real-time IDS, Host & Network sensors) – Tripwire (Post intrusion, files integrity tool) Public-Domain Tools * Users develop understanding of ID abilities & limitations – Shadow (Joint Venture: Navy, NSA, SANS Institute) – Snort (Open source, public domain effort) Research Prototypes * Developed for academic purposes, not maintained – Emerald (3 Tier: Service, Domain, Enterprise Monitors) – Stat (State Transition, sequence of actions)

12. Test Scenarios MIT Lincoln Labs Evaluations, 1998 & 1999 32 Attack types, 4 Categories – Denial of Service, Remote-Local, User-Root, Probing & Surveillance – Best system detected 75% of the 120 attacks present – Best system generated 2 false alarms per day – Average system generated 10+ false alarms per day IBM Zurich IDS Test Lab, 1999 NetRanger 2.1.2 – Detected 18 of 32 attacks RealSecure 3.0x – Detected 30 of 42 attacks

13. IDS’s, the Next Target for Attack Smart attackers will attack the IDS’s – Disable IDS entirely – Trick IDS’s into providing false information Necessity for Protection of IDS’s – Encryption of Log Files – Proper setting of IDS access controls – Regular integrity checks of IDS Files

14. Article Conclusions “ID technology is immature and its effectiveness is limited” “Much of the current effort seems to be aimed at detecting attacks made by relatively unskilled and unfocused attackers.” Anticipate modest improvement in actual algorithms for IDS High expectations for improvements in detection and false alarms due to research in multiple sensor correlation