Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Part III: Security Appliances Intrusion Detection Systems.

Published byAlyson Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Security Part III: Security Appliances Intrusion Detection Systems."— Presentation transcript:

1 Network Security Part III: Security Appliances Intrusion Detection Systems

2 SECURITY INNOVATION ©2003 2 Why this talk? IDS solutions are not perfectIDS solutions are not perfect IDS administrators are not perfectIDS administrators are not perfect Security is a process!Security is a process! –Not a person! –Not a product! –Intrusion detection is a part of information security !!!

3 SECURITY INNOVATION ©2003 3 The Problem Present network speeds and topology have made it difficult and expensive to deploy a pervasive IDS.Present network speeds and topology have made it difficult and expensive to deploy a pervasive IDS.

4 SECURITY INNOVATION ©2003 4 Where does IDS fit? IDS are useful as an additional layer of defense, no moreIDS are useful as an additional layer of defense, no more IDS are helpful when advanced attackers are attacking you with new attacksIDS are helpful when advanced attackers are attacking you with new attacks Two major types today: network IDS (snort) and host IDS (AIDE, log watcher, etc)Two major types today: network IDS (snort) and host IDS (AIDE, log watcher, etc) Missing IDS type: application IDSMissing IDS type: application IDS –eEye’s SecureIIS might be a precursor, but has been proven flawed already –AZN-API is a useful new direction for authorization issues

5 SECURITY INNOVATION ©2003 5 Generic Issues with IDS It’s yet another system that has to be monitoredIt’s yet another system that has to be monitored Yet another set of logs that will be ignoredYet another set of logs that will be ignored –Too verbose? –Not sensitive enough? –Not enough eyes to monitor all your systems? The “three cries and you’re out” problemThe “three cries and you’re out” problem –No one likes being woken up continuously at 3 am

6 SECURITY INNOVATION ©2003 6 Types of IDS’ Plain Hard WorkPlain Hard Work Host BasedHost Based Network BasedNetwork Based Log BasedLog Based Target MonitoringTarget Monitoring

7 SECURITY INNOVATION ©2003 7 Plain Hard Work FreewareFreeware SniffersSniffers Log analysisLog analysis Lots of timeLots of time Very exciting workVery exciting work Log aggregation is a painLog aggregation is a pain

8 SECURITY INNOVATION ©2003 8 Log Based Reviews syslogReviews syslog Reviews SNMPReviews SNMP Not Real-timeNot Real-time Forensics ToolForensics Tool

9 SECURITY INNOVATION ©2003 9 Target Monitoring Watches the OSWatches the OS Lives on BoxLives on Box Watches FilesWatches Files Scheduled RunsScheduled Runs Near Real-timeNear Real-time

10 SECURITY INNOVATION ©2003 10 Network Based Listens to All Traffic on SegmentListens to All Traffic on Segment Must Live on Target NetMust Live on Target Net Has Throughput Limitations especially in a 100Mb/s traffic environmentHas Throughput Limitations especially in a 100Mb/s traffic environment

11 SECURITY INNOVATION ©2003 11 Network IDS Usually has one or more interfaces in promiscuous mode – which makes them detectable in certain circumstances (see anti-sniff)Usually has one or more interfaces in promiscuous mode – which makes them detectable in certain circumstances (see anti-sniff) Useful to spot unusual traffic trendsUseful to spot unusual traffic trends Even with the fastest processors, most commercial and non-commercial network IDS cannot cope with > 100 Mb/s trafficEven with the fastest processors, most commercial and non-commercial network IDS cannot cope with > 100 Mb/s traffic Good example: snortGood example: snort Issue: useful only if you can monitor it and the alarms have been calibrated to suit your needsIssue: useful only if you can monitor it and the alarms have been calibrated to suit your needs

12 SECURITY INNOVATION ©2003 12 Network IDS Searches for patterns in packetsSearches for patterns in packets Searches for patterns of packetsSearches for patterns of packets Searches for packets that shouldn't be thereSearches for packets that shouldn't be there May ‘understand’ a protocol for effective pattern searching and anomaly detectionMay ‘understand’ a protocol for effective pattern searching and anomaly detection May passively log, alert with SMTP/SNMP or have real-time GUIMay passively log, alert with SMTP/SNMP or have real-time GUI

13 SECURITY INNOVATION ©2003 13 Network IDS Limitations Obtaining packets - topology & encryptionObtaining packets - topology & encryption Number of signaturesNumber of signatures Quality of signaturesQuality of signatures PerformancePerformance Network session integrityNetwork session integrity Understanding the observed protocolUnderstanding the observed protocol Disk storageDisk storage

14 SECURITY INNOVATION ©2003 14 Network IDS /cgi-bin/phf Jane used the PHF attack!

15 SECURITY INNOVATION ©2003 15 Network IDS NMAP NMAP Jane did a port sweep! sweep!

16 SECURITY INNOVATION ©2003 16 Host Based Lives on HostLives on Host Uses CPU CyclesUses CPU Cycles Uses Disk CyclesUses Disk Cycles Real-time AlertsReal-time Alerts Many VendorsMany Vendors ThresholdsThresholds

17 SECURITY INNOVATION ©2003 17 Host IDS Host based IDS perform a range of useful integrity tests, such as tracking file system changesHost based IDS perform a range of useful integrity tests, such as tracking file system changes WinNT/2K: prefer auditing to tripwire (or maybe use both) – auditing is real time, and you know which user caused the event as they are doing itWinNT/2K: prefer auditing to tripwire (or maybe use both) – auditing is real time, and you know which user caused the event as they are doing it Tripwire and AIDE are non-real time and only let you know something has happened after the factTripwire and AIDE are non-real time and only let you know something has happened after the fact Commercial host IDS do way more than open source IDS today, but expect this to change soonCommercial host IDS do way more than open source IDS today, but expect this to change soon

18 SECURITY INNOVATION ©2003 18 Host Based IDS Signature log analysisSignature log analysis –application and system File integrity checkingFile integrity checking –MD5 checksums Enhanced Kernel SecurityEnhanced Kernel Security –API access control –Stack security Network Monitoring HybridsNetwork Monitoring Hybrids

19 SECURITY INNOVATION ©2003 19 Host Based IDS Limitations Places load on systemPlaces load on system Disabling system loggingDisabling system logging Kernel modifications to avoid file integrity checking (and other stuff)Kernel modifications to avoid file integrity checking (and other stuff) Management overheadManagement overhead Network IDS LimitationsNetwork IDS Limitations

20 SECURITY INNOVATION ©2003 20 messages xfer access_log secure sendmail Host Based IDS

21 SECURITY INNOVATION ©2003 21 OneSecurityLog messages xfer access_log secure sendmail Host Based IDS

22 SECURITY INNOVATION ©2003 22 Application IDS Doesn’t exist … but should!Doesn’t exist … but should! Requires the assistance of applications to really function correctlyRequires the assistance of applications to really function correctly There isn’t a general purpose API to implement this, and many product writers believe that they are writing secure software, so…There isn’t a general purpose API to implement this, and many product writers believe that they are writing secure software, so…

23 SECURITY INNOVATION ©2003 23 Where to deploy IDS The typical place is in the DMZ or behind the firewallThe typical place is in the DMZ or behind the firewall There’s too many lame attacks for IDS to be out in no man’s landThere’s too many lame attacks for IDS to be out in no man’s land Much more useful to see those attacks that have penetrated your firewall or are in a sensitive networkMuch more useful to see those attacks that have penetrated your firewall or are in a sensitive network

24 SECURITY INNOVATION ©2003 24 Firewalls as an IDS Excellent source of network probe, attack and misuse informationExcellent source of network probe, attack and misuse information Detect policy deviations based on access control listsDetect policy deviations based on access control lists Some have “NIDS” capabilitiesSome have “NIDS” capabilities

25 SECURITY INNOVATION ©2003 25 Network Honeypots Sacrificial system(s) or sophisticated simulationsSacrificial system(s) or sophisticated simulations Any traffic to the honeypot is considered suspiciousAny traffic to the honeypot is considered suspicious If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployedIf a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed

26 SECURITY INNOVATION ©2003 26 Internal Network Internet Bastion Hosts Mail FTP Router/Firewall

27 SECURITY INNOVATION ©2003 27 Technical Bypass Techniques NIDSNIDS – fragmentation – TCP un-sync – Low TTL – ‘Max’ MTU –HTTP Protocol –Telnet Protocol HIDSHIDS –Kernel Hacks –Bypassing stack protection –Library Hacks –HTTP Logging Packet Insertion Techniques

28 SECURITY INNOVATION ©2003 28 FRAGMENT QUEUE SESSION QUEUE IP #1 IP #2 IP #3 Session #1 Session #2 Session #3 NIDS NIDS

29 SECURITY INNOVATION ©2003 29NIDS FRAGMENT QUEUE SESSION QUEUE IP #1 IP #2 IP #3 Session #1 Session #2 Session #3 NIDS

30 SECURITY INNOVATION ©2003 30 Bypassing NIDS - Fragmentation NIDS must reconstruct fragmentsNIDS must reconstruct fragments –Maintain state = drain on resources –Must overwrite correctly = more drain on resources Target server correctly de-fragsTarget server correctly de-frags Attack #1 - just fragmentAttack #1 - just fragment Attack #2 - frag with overwriteAttack #2 - frag with overwrite Attack #3 - start an attack, follow with many false attacks, finish the first attackAttack #3 - start an attack, follow with many false attacks, finish the first attack

31 SECURITY INNOVATION ©2003 31 Bypassing NIDS - TCP un-sync Inject a packet with a bad TCP checksumInject a packet with a bad TCP checksum –fake ‘FIN’ packet Inject a packet with a weird TCP sequence numberInject a packet with a weird TCP sequence number –step up –wrapping numbers

32 SECURITY INNOVATION ©2003 32 Bypassing NIDS - Low TTL NIDS 123 WWW

33 SECURITY INNOVATION ©2003 33 Bypassing NIDS - Max ‘MTU’ NIDS WWW Segment with MTU = 1300 1350 byte packet with DF = 1

34 SECURITY INNOVATION ©2003 34 Bypassing NIDS - HTTP Proto ‘/’ padding: “/cgi-bin///phf”‘/’ padding: “/cgi-bin///phf” Self referencing directories: “/cgi-bin/./phf”Self referencing directories: “/cgi-bin/./phf” URL Encoding: “%2fcgi-bin/phf”URL Encoding: “%2fcgi-bin/phf” Reverse Traversal: “/cgi-bin/here/../phf”Reverse Traversal: “/cgi-bin/here/../phf” TAB instead of spaces removalTAB instead of spaces removal DOS/Win syntax: “/cgi-bin\phf”DOS/Win syntax: “/cgi-bin\phf” Null method: “GET%00/cgi-bin/phf”Null method: “GET%00/cgi-bin/phf”

35 SECURITY INNOVATION ©2003 35 Bypassing NIDS - Telnet Proto Strip out Telnet codesStrip out Telnet codes Automatic proxies which add random characters followed by backspaceAutomatic proxies which add random characters followed by backspace –“su X{backspace}root”

36 SECURITY INNOVATION ©2003 36 Bypassing NIDS - Resources ToolsTools –Whisker - Rain Forest Puppy http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2 –Fragrouter - Dug Song http://www.anzen.com/research/nidsbench/ –Congestant - horizon, Phrack 54 PapersPapers –“Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, Tom Ptacek, Timothy Newsham http://secinf.net/info/ids/idspaper/idspaper.html –Bro information: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz

37 SECURITY INNOVATION ©2003 37 Bypassing HIDS - Kernel Hacks Windows NTWindows NT –4 byte patch that removes all security restrictions from objects within the NT domain. –Could use access to disable or manipulate HIDS Linux - “itfs.c” - kernel moduleLinux - “itfs.c” - kernel module - not in /proc/modules - hides a sniffer - hides files - hides processes - redirects execve() - socket backdoor - magic setuid gets root

38 SECURITY INNOVATION ©2003 38 Bypassing HIDS - Stack Protection StackguardStackguard –A ‘canary’ is placed next to return address –Program halts and logs if canary is altered –Canary can be random or terminating –Bypass: overwrite return address without touching canary –Fix: XOR the return address and the canary –Point: Yet another example of an arms race

39 SECURITY INNOVATION ©2003 39 Bypassing HIDS - Library Hacks Environment variables which redirect shared library locationsEnvironment variables which redirect shared library locations Library has a ‘wrapper’ run by a privileged programLibrary has a ‘wrapper’ run by a privileged program Two choicesTwo choices –Provide certain APIs with original copies of Trojan files –Redirect certain APIs to completely different files

40 SECURITY INNOVATION ©2003 40 Bypassing HIDS - HTTP Logging The anti-NIDS HTTP techniques also may work for host based IDS tools which do log analysisThe anti-NIDS HTTP techniques also may work for host based IDS tools which do log analysis

41 SECURITY INNOVATION ©2003 41 Bypassing HIDS - Resources Phrack 51Phrack 51 –“Shared Library Redirection Techniques”,halflife, –“Shared Library Redirection Techniques”,halflife, –“Bypassing Integrity Checking Systems”,halflife, –“Bypassing Integrity Checking Systems”,halflife, Phrack 52Phrack 52 –“Weakening the Linux Kernel”, plaguez –“Weakening the Linux Kernel”, plaguez Phrack 55Phrack 55 –“A real NT Rootkit, patching the NT Kernel”, Greg Hoglund –“A real NT Rootkit, patching the NT Kernel”, Greg Hoglund Phrack 56Phrack 56 –“Shared Library Call Redirection via ELF PLT Infection”, Silvio Cesare –“Backdooring Binary Objects”, –“Backdooring Binary Objects”, –“Bypassing Stackguard and Stackshield”, Bulba & Kil3r –“Bypassing Stackguard and Stackshield”, Bulba & Kil3r Stackguard - http://www.immunix.org/documentation.htmlStackguard - http://www.immunix.org/documentation.html

42 SECURITY INNOVATION ©2003 42 Practical Bypass Techniques NIDSNIDS –identifying –avoiding –overwhelming –“slow roll” –“distributed scanning” HIDSHIDS –identifying –log deletion –log modification GenericGeneric –Social –DOS

43 SECURITY INNOVATION ©2003 43 NIDS - Identifying Is it in DNS?Is it in DNS? Does it shoot down connections?Does it shoot down connections? Is the sniffing interface detectable?Is the sniffing interface detectable? Is it running on a big red box labeled “IDS”?Is it running on a big red box labeled “IDS”? Can the alert messages be observed?Can the alert messages be observed?

44 SECURITY INNOVATION ©2003 44 NIDS - Identifying Any open ports that match a known IDS?Any open ports that match a known IDS? Has the target posted to an IDS saying, “We use product XYZ?”Has the target posted to an IDS saying, “We use product XYZ?” Do they have a “This site protected by XYZ” message on their web site?Do they have a “This site protected by XYZ” message on their web site?

45 SECURITY INNOVATION ©2003 45 NIDS - Avoiding Are there other routes into the network?Are there other routes into the network? –Is there an encrypted path? –Modem dial in? –Alternate transport layer? (GRE ???) Is there an attack not detected by the IDS?Is there an attack not detected by the IDS? Is there a technical bypass technique that is not detected by the IDS?Is there a technical bypass technique that is not detected by the IDS?

46 SECURITY INNOVATION ©2003 46 NIDS - Overwhelming Send as many false attacks as possible while still doing the real attackSend as many false attacks as possible while still doing the real attack –May overload console –May drop packets –Admins may not believe there is a threat Send packets that “cost” the NIDS CPU cycles to processSend packets that “cost” the NIDS CPU cycles to process –Fragmented, overlapping, de-synchronized web attacks with the occasional bad checksum

47 SECURITY INNOVATION ©2003 47 NIDS - ‘Slow Roll’ Port scans and sweepsPort scans and sweeps –Obvious: incremental destination ports –Trivial: randomized ports –Sweep: one port and many addresses –Stealthy: random ports and addresses over time

48 SECURITY INNOVATION ©2003 48 IP addresses Ports Port sweep Port scan Plotting all destination ports from one source IP to a target network … Target Mapping

49 SECURITY INNOVATION ©2003 49 IP addresses Ports random Simple port walk Still maps out a network with one IP address Target Mapping

50 SECURITY INNOVATION ©2003 50 MASTER SLAVES SLAVES Target sees traffic from many addresses Target Mapping

51 SECURITY INNOVATION ©2003 51 HIDS - Identifying Almost always after on a system...Almost always after on a system... Is there anything in the system logs?Is there anything in the system logs? What ports are open?What ports are open? What is running out of CRON?What is running out of CRON? What is in the NT registry?What is in the NT registry? What programs are running?What programs are running?

52 SECURITY INNOVATION ©2003 52 HIDS - Logs Simple log deletion may be possibleSimple log deletion may be possible Simple log altering may also be possibleSimple log altering may also be possible –replace IP addresses to mislead –delete key logs Logging may be disabled or interceptedLogging may be disabled or intercepted –Removing syslog from services

53 SECURITY INNOVATION ©2003 53 Generic - Social Physical accessPhysical access Obtaining “official” accessObtaining “official” access Getting others to hack/scan site for youGetting others to hack/scan site for you –IRC & chat groups –Hacker challengers Run the IDS ……Run the IDS ……

54 SECURITY INNOVATION ©2003 54 Generic - DOS Find the main ‘server’Find the main ‘server’ Kill itKill it –IP Bomb –Port bomb –IDS DOS Find the clientsFind the clients

55 SECURITY INNOVATION ©2003 55Drawbacks Each System has DrawbacksEach System has Drawbacks Some are not Fast EnoughSome are not Fast Enough Some are not Real-timeSome are not Real-time Some Intrude on OSSome Intrude on OS Others Can Cause Application Compatibility ProblemsOthers Can Cause Application Compatibility Problems

56 SECURITY INNOVATION ©2003 56 What’s wrong with security? All software has defectsAll software has defects –Best practice says that software can only hope to have as few as one defect per 1 KLOC –Normal code has 5-15 bugs per 1000 lines –Windows NT has 17 million lines…. Do the math

57 SECURITY INNOVATION ©2003 57 Risk model f $ Cost of attack vs frequency of attack

58 SECURITY INNOVATION ©2003 58 Insurance – Mega Corps In large corporations, insurance is a method to assign the risk of catastrophic events to another entityIn large corporations, insurance is a method to assign the risk of catastrophic events to another entity Most large corporations are self insuring for most risks (for example, one of my clients simply pays for all car accidents; it’s just cheaper that way)Most large corporations are self insuring for most risks (for example, one of my clients simply pays for all car accidents; it’s just cheaper that way) Most large corporations do not see the point in insuring an intangible risk such as a web defacement, but they might insure good will.Most large corporations do not see the point in insuring an intangible risk such as a web defacement, but they might insure good will.

59 SECURITY INNOVATION ©2003 59 External Threats vs Internal Threats Old thinking: Seasoned attacker with extreme skills will be attacking me every timeOld thinking: Seasoned attacker with extreme skills will be attacking me every time Reality #1: script kiddies will launch zillions of RDS attacks at you, even though you might be running SolarisReality #1: script kiddies will launch zillions of RDS attacks at you, even though you might be running Solaris Reality #2: your staff are much more of a risk than the script kiddies of this worldReality #2: your staff are much more of a risk than the script kiddies of this world

60 SECURITY INNOVATION ©2003 60 Anatomy of a Script Kiddie Attack Collect tools Attack victims Tag & Brag

61 SECURITY INNOVATION ©2003 61 Anatomy of a Gifted Amateur Attack Collect tools Develop skills Attack victim Gather info

62 SECURITY INNOVATION ©2003 62 Anatomy of a strong attack Develop tools Attack victim Gather info Platform mastery Identify targets

63 SECURITY INNOVATION ©2003 63 Internet Age Threats Real threats arise from people with motiveReal threats arise from people with motive Most external attacks are simple, but not allMost external attacks are simple, but not all Most successful attacks are essentially internal fraudMost successful attacks are essentially internal fraud –Audit controls will help It is nearly always easier to socially engineer from within than attack a system from without once minimum defenses are addedIt is nearly always easier to socially engineer from within than attack a system from without once minimum defenses are added

64 SECURITY INNOVATION ©2003 Research Challenges Detect a wide variety of intrusion typesDetect a wide variety of intrusion types Very high certaintyVery high certainty Real-time detectionReal-time detection Develop a network-wide view rather than local viewsDevelop a network-wide view rather than local views Analysis must work reliably with incomplete dataAnalysis must work reliably with incomplete data Detect unanticipated attack methodsDetect unanticipated attack methods Scale to very large heterogeneous systemsScale to very large heterogeneous systems What data to collect for maximal effectiveness; network instrumentationWhat data to collect for maximal effectiveness; network instrumentation Automated responseAutomated response Discover or narrow down the source of an attackDiscover or narrow down the source of an attack Integrate with network management and fault diagnosisIntegrate with network management and fault diagnosis Infer intent; forming the big pictureInfer intent; forming the big picture Cooperative problem solvingCooperative problem solving

65 SECURITY INNOVATION ©2003 65 Methods Under Investigation Methods to detect highly unusual events or combinations of eventsMethods to detect highly unusual events or combinations of events –Statistical methods –Neural networks –Machine learning Methods to detect activity outside prescribed boundsMethods to detect activity outside prescribed bounds –Specification-based detection New knowledge-based analysis techniquesNew knowledge-based analysis techniques –Graphical intrusion detection –State transition models (model-based detection) Traceback methodsTraceback methods –Thumbprinting Profile Model/Pattern Acceptable Illegal Discrepancy Match Statistical Structural

66 SECURITY INNOVATION ©2003 66 Cooperating Detectors IDS IDS IDS IDS IDS Sensors Also needed: Efficient and effective methods for peer-to-peer cooperative problem solving to be applied to the detection problem –To filter events of only local concern –To assess a larger “region”

67 SECURITY INNOVATION ©2003 67 Advanced Techniques Statistical anomaly detection (SRI, CMU) Statistical anomaly detection (SRI, CMU) –establish a historical behavior profile for each desired entity (e.g., user, group, device, process) –compare current behavior with the profiles –detects departures from established norms –continuously update profiles to “learn” changes in subject behavior –addresses unanticipated intrusion types Early statistical studies: Early statistical studies: –SRI study (Javitz et al): Showed users could be distinguished from each other based on patterns of useShowed users could be distinguished from each other based on patterns of use –Sytek study (Lunt et al): Showed behavior characteristics can be found that discriminate between normal user behavior and simulated intrusionsShowed behavior characteristics can be found that discriminate between normal user behavior and simulated intrusions

68 SECURITY INNOVATION ©2003 68 Advanced Techniques cont’d Machine learning (LANL) Machine learning (LANL) –Builds a massive tree of statistical “rules” (typically 100,000’s of them) –Branches are labeled with conditional probabilities –Prunes the tree to a maximum depth of four to six –Low-occurrence branches are combined –Tree is “trained” from a few days of data –Tree cannot be updated to “learn” as usage patterns change –Activity is considered abnormal if it does not “match” a branch in the tree or if it matches a branch with low conditional probability last node Meta-Learning (Columbia University) Meta-Learning (Columbia University) –Meta-learning integrates a number of separately learned classifiers –Multi-layered approach: machine learning and decision procedures detect intrusions locallymachine learning and decision procedures detect intrusions locally meta-learning and decision procedures to integrate the collective knowledge acquired by the local agentsmeta-learning and decision procedures to integrate the collective knowledge acquired by the local agents

69 SECURITY INNOVATION ©2003 69 Advanced Techniques cont’d Computational immunologyComputational immunology –based on biological analogies (e.g., self vs. non-self discrimination) –build up a database of observed short sequences of system calls for a program and detect when the observed program behavior exhibits short sequences not in that database (U. of NM) –allows the detection of tampered or malicious programs or other suspicious events –this potentially lightweight method is being implemented in small, autonomous agents in a CORBA environment (ORA)

70 SECURITY INNOVATION ©2003 70 Advanced Techniques cont’d Model-based detectionModel-based detection –Detects suspicious state transitions (UC Santa Barbara) specifies penetration scenarios as a sequence of actionsspecifies penetration scenarios as a sequence of actions keeps track of interesting “state changes”keeps track of interesting “state changes” attempts to identify attacks in progress before damage is doneattempts to identify attacks in progress before damage is done –Adapt model-based diagnosis, which has been successful in diagnosing faults in microprocessors, to intrusion detection (MIT) Graphical detection (UC Davis)Graphical detection (UC Davis) –detects intrusions whose activity spans many machines that could be difficult to detect locally –specifies intrusion scenarios as graphs of actions covering many machines –the graphs provide an intuitive visual display

71 SECURITY INNOVATION ©2003 71 Advanced Techniques cont’d Signalling Infrastructure Detection (GTE)Signalling Infrastructure Detection (GTE) –detect anomalous events in a network and signalling infrastructure typical of telephone service providers –designed for integration into network operations centers –uses existing systems/tools for data collection –uses anomaly detection and specific signalling protocol “sanity checks” Detection in high-speed networks (MCNC)Detection in high-speed networks (MCNC) –Integrates anomaly detection techniques with network management for ATM networking (IP over ATM) –Logical analysis of routing protocol operation to detect anomalous states

72 SECURITY INNOVATION ©2003 72 Advanced Techniques cont’d Automated response (Boeing)Automated response (Boeing) –Integrates firewall, intrusion detection, filtering router, and network management technologies –Local intrusion detectors determines threat presence –Firewalls communicate intrusion detection information to each other –Firewalls cooperate to locate the intruder –Network managers automatically reconfigure the network to thwart the attack –Firewalls and filtering routers dynamically alter filtering rules to block the intruder –Dynamic reconfiguration of logging, monitoring, and access control in response to detected suspicious activity –"Fusion" of intrusion-detection data reported by different detectors –The monitoring is also adapted as part of the response, to help pinpoint the problem and its source

73 SECURITY INNOVATION ©2003 73 Advanced Techniques cont’d Survivable Active Networks (Bellcore)Survivable Active Networks (Bellcore) –Will allow highly configurable network elements to cooperate with networked hosts to detect, isolate, and recover quickly and automatically from damage due to errors or malicious attacks –"Ablative software" will allow suspect activity to be "peeled off" the system while continuing to operate in a microenvironment Planning and procedural reasoning (SRI)Planning and procedural reasoning (SRI) –Suggest and implement incident recovery procedures –Uses AI-based automated planning technology for both analysis and recovery and repair –Generates explanations to help the sys admin understand what happened and what to do about it –Integrate intrusion response tools, to combine the functionality of many tools that specialize in particular areas of incident management, into a security anchor desk (USC-ISI)

74 SECURITY INNOVATION ©2003 74 Open Questions Detection performance in realistic settings with single methods and combinations of methodsDetection performance in realistic settings with single methods and combinations of methods Detection performance with faulty and missing dataDetection performance with faulty and missing data False positive and false negative ratesFalse positive and false negative rates Time to detectionTime to detection ScalabilityScalability Dependence on good intruder modelsDependence on good intruder models Distinction from common failure modesDistinction from common failure modes What data to collect/observeWhat data to collect/observe

75 SECURITY INNOVATION ©2003 75 Common Intrusion Detection Framework Standard InterfacesStandard Interfaces –an interconnection framework for data collection, analysis, and response components –extensible architecture –reuse of core technology –facilitate tech transfer –reduce cost E1E2E3 A1 A2 C D E Event Generator A Event Analyzer D Event Database C System-specific Controller Standard API

76 SECURITY INNOVATION ©2003 76 Strategic Intrusion Assessment In a two-week period, AFIWC’s intrusion detectors at 100 AFBs alarmed on 2 million sessionsIn a two-week period, AFIWC’s intrusion detectors at 100 AFBs alarmed on 2 million sessions After manual review, these were reduced to 12,000 suspicious eventsAfter manual review, these were reduced to 12,000 suspicious events After further manual review, these were reduced to four actual incidentsAfter further manual review, these were reduced to four actual incidents Most alarms are false positivesMost alarms are false positives Most true positives are trivial incidentsMost true positives are trivial incidents Of the significant incidents, most are isolated attacks to be dealt with locallyOf the significant incidents, most are isolated attacks to be dealt with locally International/Allied Reporting Centers National Reporting Centers DoD Reporting Centers Regional Reporting Centers (CERTs) Organizational Security Centers Local Intrusion Detectors Correlation Patterns Classification Infer intent Assess damage Predict future status Assess certainty

77 SECURITY INNOVATION ©2003 77 Strategic Intrusion Assessment Peer-to-peer cooperation among detectors to decide what to report to higher levels.Peer-to-peer cooperation among detectors to decide what to report to higher levels. Detectors must be able to:Detectors must be able to: –discover each other –negotiate requirements –collaborate on diagnosis/response Improve individual detectorsImprove individual detectors –Distinguish what is trivial from significant –Distinguish what is locally relevant Plan recognitionPlan recognition –Hypothesize goals for IW adversaries –Develop plans for accomplishing each goal automated planning technologyautomated planning technology –Overlay with observed incident data to discover intent plan recognition technologyplan recognition technology –Estimate certainty Suppress false alarms Correlate & infer intent

78 SECURITY INNOVATION ©2003 78 Security Detection and Response Center Functions: Functions: Detection: Analyzes and filters events reported from lower layers Detection: Analyzes and filters events reported from lower layers – for items of interest to this layer, and – for reporting to higher layers Assessment: to understand coordinated events Assessment: to understand coordinated events – of interest at this layer, and – for reporting to higher layers Tracing (e.g., IDIP, active nets) Tracing (e.g., IDIP, active nets) Automated response (e.g., IDIP for connection closing/filtering) Automated response (e.g., IDIP for connection closing/filtering) Event notification Event notification Detection Assessment Response Tracing Notification Significant investment Early speculative investigations No research

79 SECURITY INNOVATION ©2003 79 Conclusions Currently available technology is not adequate for the problemCurrently available technology is not adequate for the problem Promising methods under investigation show significant improvement over current technologyPromising methods under investigation show significant improvement over current technology There is still a lot more to be doneThere is still a lot more to be done

Download ppt "Network Security Part III: Security Appliances Intrusion Detection Systems."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Intrusion Detection: New Directions Teresa Lunt Xerox Palo Alto Research Center

Intrusion Detection: New Directions Teresa Lunt Xerox Palo Alto Research Center
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Bypassing Intrusion Detection Systems Ron Gula, Founder Network Security Wizards.

Bypassing Intrusion Detection Systems Ron Gula, Founder Network Security Wizards.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Chapter 19: Network Management Business Data Communications, 4e.

Chapter 19: Network Management Business Data Communications, 4e.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Similar presentations

Ads by Google