Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intrusion detection


Published on

Published in: Technology

Intrusion detection

  1. 1. INTRUSION DETECTION By : Umesh Dhital
  2. 2. PRESENTATION OUTLINE  Introduction  What ?  Why ?  History  Typical Intrusion Scenario  Types of Attacks  What IDS does ?  Types of IDS  Based on detection approach  Advantages/ Disadvantages  Based on protected system  Network / Host based detection  Evaluation of IDS  Commercially available IDS  Snort  References  Q/A 1/31/2015 2 INTRUSIONDETECTION
  3. 3. WHAT IS INTRUSION DETECTION SYSTEM? 1/31/2015 3 INTRUSIONDETECTION  Intrusion  Any unauthorized access, not permitted attempt to access/damage or malicious use of information resources  Intrusion Detection  Detection of break-ins and break-in attempts via automated software systems  Intrusion Detection Systems(IDS)  Defense systems, which detect and possibly prevent intrusion detection activities
  4. 4. WHAT IS NOT AN IDS ?  Network logging systems  Security Scanners  vulnerability assessment tools to check flaws in OS,N/W  Antivirus products  Security/Cryptographic systems  E.g. VPN,SSL, Kerbose  Firewalls 1/31/2015INTRUSIONDETECTION 4
  5. 5. WHY IDS ? 1/31/2015 5 INTRUSIONDETECTION Straight Forward Reason to protect data and system integrity. Fact : can not be done with ordinary password and file security Misconception :  A network firewall will keep the bad guys off my network, right?  My anti-virus will recognize and get rid of any virus I might catch, right?  And my password-protected access control will stop the office cleaner trawling through my network after I've gone home, right? So that's it – “I'm fully protected”
  6. 6.  Anti-virus systems are only good at detecting viruses they already know about  Passwords can be hacked or stolen or changed by other  Firewalls DO NOT recognize attacks and block them  Simply a fence around your network  no capacity to detect someone is trying to break-in(digging a hole underneath it)  Can’t determine whether somebody coming through gate is allowed to enter or not.  Roughly 80% of financial losses occur hacking from inside the network “BEWARE OF INTERNAL INTRUDERS”  Example : In April 1999, many sites were hacked via a bug in ColdFusion. All had firewalls to block other access except port 80. But it was the Web Server that was hacked. HERE IS THE REALITY 1/31/2015 6 INTRUSIONDETECTION
  7. 7. ID- A BRIEF HISTORY  1980 - James Anderson Paper Computer Security Threat Monitoring and Surveillance  Concept of “detecting” misuse and specific user events emerged  1984 - Dr. Dorothy Denning and SRI developed first model for intrusion detection, Intrusion Detection Expert System developed  1988 – HayStack Project at University of California Lab, released intrusion detection system for US Air force  1989 – Commercial company HayStack Labs released Stalker  1990 – UC’s Todd Heberlein introduced idea of Network Detection System”  Developed Network Security Monitor  SAIC developed Computer Misuse Detection System 1/31/2015 7 INTRUSIONDETECTION
  8. 8. HISTORY – CONTD..  US Air force developed Automated Security Measurement System  ID Market gain popularity around 1997  1998 ISS developed RealSecure  Cisco purchased Wheel Group  First host-based detection company Centrax Corporation emerged  Currently IDS is the top selling security technology 1/31/2015 8 INTRUSIONDETECTION Source :
  9. 9. TYPICAL INTRUSION SCENARIO 1/31/2015 9 INTRUSIONDETECTION Information Gathering Further Information Gathering Attack ! Successful Intrusion Fun and Profit -Find as much as info. As possible -whois lookup and DNS Zone transfers -Normal browsing ; gather important info. -ping sweeps, port scanning -web server vulnerabilities -version of application/services -start trying out different attacks - UNICODE attack if has IIS installed -try to find misconfigured running services -Passive Attack / Active Attack -install own backdoors and delete log files -replace existing services with own Trojen horses that have backdoor passwords or create own user accounts - Steal confidential information - Use compromised host to lunch further attacks - Change the web-site for FUN
  10. 10. 1/31/2015 10 INTRUSIONDETECTION
  11. 11. TYPES OF ATTACK  Unauthorized access to the resources  Password cracking  Spoofing e.g. DNS spoofing  Scanning ports & services  Network packet listening  Stealing information  Unauthorized network access  Uses of IT resources for private purpose  Unauthorized alternation of resources  Falsification of identity  Information altering and deletion  Unauthorized transmission and creation of data  Configuration changes to systems and n/w services 1/31/2015 11 INTRUSIONDETECTION
  12. 12. TYPES OF ATTACK CONTD..  Denial of Service  Flooding  Ping flood  Mail flood  Compromising system  Buffer overflow  Remote system shutdown  Web application attack “Most attacks are not a single attack but a series of individual events developed in coordinated manner” 1/31/2015 12 INTRUSIONDETECTION
  13. 13. 1/31/2015 13 INTRUSIONDETECTION Source :
  14. 14. WHAT AN IDEAL IDS IS SUPPOSED TO DO ?  Identify possible incidents  detect an attacker has compromised system  Report administrator  Log information  keep log of suspicious activities  Can be configured to  Recognize violations of security policies  Monitor file transfers  Copying a large database onto a user’s laptop  Identify reconnaissance activity  Attack tools and worms perform reconnaissance activity like : host and port scans 1/31/2015 14 INTRUSIONDETECTION
  16. 16. IDS TYPES : BASED ON DETECTION APPROACH  Knowledge-based or Signature-based  Behavior-based or Anomaly-based  Knowledge-based  Matching signature of well-known attacks against state- change in systems or stream of packets flowing through network  Example of signatures :  A telnet attempt with username “root” which is violation of an organization’s security policy  An e-mail with a subject “Free Pictures” and an attachment “freepics.exe” -characteristics of a malware 1/31/2015 16 INTRUSIONDETECTION
  17. 17. ADVANTAGE / DISADVANTAGES OF KB-IDS  Very few false alarm  Very effective to detect previously known threats  Ineffective to detect new threats  Threats disguised by use of evasion techniques  Compares a current unit of activity (e.g. a n/w packet or a log entry) to a list of signatures using string comparisons operations  Little understanding of n/w or application protocol and can’t track the state of complex communication  e.g. can’t pair request with the corresponding response  Cant remember a previous request while processing the current request 1/31/2015 17 INTRUSIONDETECTION
  18. 18. BEHAVIOR-BASED IDS  Compares normal event against observed events to identify significant deviation  Has profiles to represent normal behavior of  Users, hosts, network connections or applications  Developed by monitoring the characteristics of typical activity over a period of time  Profiles can be for behavioral attributes like:  Number of email sent by a user, number of failed logins for a host, level of processor usage etc.  Example A profile for a network might show that in an average, 13% of network bandwidth are due to Web activities during typical workday hours. Then IDS can use statistical methods to compare current Web activity bandwidth with expected one and alert administrator if high bandwidth is being occupied by web activities 1/31/2015 18 INTRUSIONDETECTION
  19. 19. STATIC VS. DYNAMIC PROFILES  Profiles are generated over a period of time (days or sometimes weeks)  Static profile is unchanged unless required to generate new profile  Change in systems and/or networks inaccurate static profile (Generate Again)  Dynamic profile defect : susceptible to evasion attempts from attackers  Frequently performing malicious activity 1/31/2015 19 INTRUSIONDETECTION
  20. 20. ADVANTAGES / DISADVANTAGES OF BBIDS  Very effective to detect unknown threats  Example : Suppose computer is infected with a new type of malware. The malware consumes large computer’s processor resources and send large number of emails, initiating large number of network connections. This is definitely a significantly different behavior from established profiles.  High false alarm rate  All activities excluded during training phase  Making a profile is very challenging 1/31/2015 20 INTRUSIONDETECTION
  21. 21. NETWORK BASED INTRUSION DETECTION  IDS are placed on the network, nearby system(s) being monitored  Monitors n/w traffic for particular n/w segments or devices  The network interface card placed in promiscuous mode to capture all n/w traffic  Sensors placed on n/w segment to check the packets  Primary types of signatures are  String signature  Port Signature  Header Condition Signature 1/31/2015 21 INTRUSIONDETECTION
  22. 22. NETWORK BASED INTRUSION DETECTION CONTD..  String Signature  Look text/string that may indicate possible attack  Example: UNIX system “cat” “+ +” > /.rhosts”  Port Signature  Watch for connection attempts to well-known, frequently attacked ports  Example : telnet (TCP port 23) , FTP (TCP port 21/20)  Ports are not used but packets are coming that port.  Header Signature  Watch for dangerous or illogical combination of packet headers  Example : TCP packet with both SYN and FIN flags set  Request wished to start and stop the connection at the same time.  Limitations  Can not detect attacks on encrypted n/w traffic (E.g. HTPS, VPN)  IDS sensors are susceptible to various attacks  Large volume of traffic can crash IDS sensor itself 1/31/2015 22 INTRUSIONDETECTION
  23. 23. 1/31/2015 23 INTRUSIONDETECTION Source :
  24. 24. HOST BASED IDS  Piece or pieces of software on the system to be monitored  Uses log files and network traffic in/out of that host as data source  Monitors:  Incoming packets  Login activities  Root activities  File systems  Host based IDS might monitor  Wired and wireless network traffic ;Systems logs  Running process; file access/modification 1/31/2015 24 INTRUSIONDETECTION
  25. 25. 1/31/2015 25 INTRUSIONDETECTION Source :
  26. 26. EVALUATION OF IDS’S 1/31/2015 26 INTRUSIONDETECTION Source : Iftikhar Ahmad , Azween B Abdullah and Abdullah S Alghamdi ,“Comparative Analysis of Intrusion Detection Approaches”, 12th International Conference on Computer Modelling and Simulation, 2010
  27. 27. CURRENTLY AVAILABLE IDSS Network Based IDS Host Based IDS Internet Security Systems Real Secure Internet Security Systems Real Secure Symantec Net Prowler Symantec Intruder Alert Network Ice Black Ice Defender Tripwire CyberSafe Centrax Cyber Safe Centrax Detection Appliance 1/31/2015 27 INTRUSIONDETECTION Snort, Fragroute /Fragrouter, OSSEC HIDS, are some of the most popular Open Source IDS
  28. 28. SNORT  Open source NIDS developed by Sourcefire  It combines the benefits of signature based and behavior based intrusion detection techniques  It has 300,000 registered users 1/31/2015 28 INTRUSIONDETECTION
  29. 29.  How to install SNORT (in Linux)  How to install and use SNORT (in XP)  carbo.dll is the file that can be used to remotely view any file your web server has permissions to view 1/31/2015 29 INTRUSIONDETECTION
  30. 30. REFERENCES  Roman V. Yampolskiy and Venu Govindaraju, “Computer Security: a Survey of Methods and Systems”, Journal of Computer Science 3 (7), 2007  Iftikhar Ahamad, Azween B Abdullah and Abdullah S Alghamdi, “Comparative Analysis of Intrusion Detection Approaches”, 12 th International Conference on Computer Modeling and Simulation,2010  David Elson, “Intrusion Detection, Theory and Practice”,  Karen Scarfone, Peter Mell, “Guide to Intrusion Detection and Prevention Systems (IDPS)” , Special Publication 800-94  ISS, “Network- vs. Host-based Intrusion Detection”, A Guide to Intrusion Detection Technology  FAQ's :     1/31/2015 30 INTRUSIONDETECTION