3. Chapter Outline
1.0 Intrusion Detection Systems
1.1 Types of IDS
1.2 Technical Bypass of IDS
1.3 Fragmentation
1.4 Related Tools for Network IDS
1.5 Next Generation IDS
1.6 Zero-day Attack
4. OBJECTIVES AND DELIVERABLE
• Understand the concept of IDS and the two major categorizations: by
features/models, and by location.
• Understand the pros and cons of each approach
• Understand the difference between exploits and vulnerabilities
6. DEFINITIONS
Intrusion
A set of actions aimed to compromise the
security goals, namely
Integrity, confidentiality, or availability,
of a computing and networking
resource
Intrusion detection
The process of identifying, classifying and
responding to intrusion activities
Intrusion prevention
Extension of ID with exercises of
access control to protect computers
from exploitation
8. INTRUSION DETECTION SYSTEM (IDS)
An intrusion
detection system
(IDS) is a system that
monitors network traffic
for suspicious activity
and issues alerts when
such activity is
discovered.
viljj JA(IDS) flkj
jA^aJj 0jlulA il^iJ jjj^
, J UjlSlU
** •*
What is intrusion detection?
- Passive in design
9. MONITOR (DETECT) FOR ATTACKS
Advantages of an IDS:
• Works passively
• Requires traffic to be mirrored in
order to reach it
• Network traffic does not pass through
the IDS unless it is mirrored
IDS: y>
jjj^l A^j^ Q
W! Jj^jJl
'^JVJIDS ^ A^I jjj^ A£j^ V
Intrusion Detection System Operation
Switch
IDS-enabled
Target
Management
Console
10. ELEMENTS OF INTRUSION DETECTION
Primary assumptions:
■ System activities are observable
■ Normal and intrusive activities have distinct
evidence
;AjJjVl i*iK^lj3iVI
A^^lj ALl l*J ApUJl
Components of intrusion detection
systems:
■ From an algorithmic perspective:
■ Features - capture intrusion
evidences
■ Models - piece evidences together
Algorithm
;JLuJl _ ^ljj£^
;^jj'jA jj^J* j* JLuJl
ALl .LM -AJ^VI
From a system architecture perspective:
■ Various components: audit data processor,
knowledge base, decision engine, alarm
id responses
System architecture
Ajjj jj^J^ j^
^lUljJ ^Jl*^; ^ljj£^
^j^jJlj jljj^l cjljSJl ^J^^ cAij^^Jl
11. COMPONENTS OF INTRUSION DETECTION SYSTEM
system activities are
observable
Audit Records
Activity Data
normal and intrusive
activities have distinct
evidence
Action/Report
0
0
0
13. 1. MISUSE DETECTION
Intrusion
Patterns:
Sequences of
system calls,
patterns of
network traffic,
,etc.
pattern
matching
intrusion
activities
Example: if (traffic contains “x90+de[Arn]{30}”) then “attack detected”
Problems?
Disadvantage: Can't detect new attacks
14. oUljd] AJ]^.IA]|
AJ A^J]I V ^AjJl^aj ^1 .wn H^I &jui ^jc jl ^A3J]I ^JSJJJIJ i _^^J' J^XJ
Misuse or Signature-based Detection
1. Contains a database of recognized (known) attacks
2. Activity is compared with signature database
3. Send alarm for suspicious activities
4. Can not detect new attacks
.(Aijjx^]l) Igj AIUUJ SJelS Je. n
AiJJ*^]' ol*JajJ]') oULu SAe-la (AJ^SJ!' J]') .LLAi]' Ajj-Li n
AAJ^I jiijj juj n
SJJJ^]I _^^]l ^S^J v n
15. All the following are functions of Misuse or
Signature-based Detection in IDS except one:
(a) Contains a database of recognized
(known) attacks
(b) Activity is compared with signature
database
(c) Can detect new attacks
(d) Cannot detect new attacks
(e) Sound alarm for suspicious activities
16. 2. ANOMALY DETECTION
Define a profile describin
“normal” behavior, th
detects deviations.
Any problem ? actlvlty
measure
s
__alxs
90
80
70
btr
50
40
30
20
10
0
/ 71
CPU
i r
Process Size
probable
intrusion
□ normal
pi
ofile
□
abnormal
Relatively high false positive rates ^
• Anomalies can just be new normal activities.
• 4jale QpjQj| aii
• Anomalies caused by other element faults
• E.g., router failure or misconfiguration, P2P misconfig
• Which method will detect DDoS SYN flooding ?
17. Anomaly or Behavior-based Detection
JJC. jC ^
1. Looks for usage anomalies
2. Sometimes called an expert system
3. Mostly result in more false positive than signature-based
4. Can detect new attacks
(je. n
n
j]| ^1C i^li j* JJSI 4-plS 4JJUJ) gj/jj ^Ul ^ n
Behaviour-based intrusion detection systems mostly result in more false positive than
signature-based IDS. (Ture -False)
19. HOST-BASED IDS q^l^JI
^^3 A^hjl
Use OS auditing and monitoring mechanisms to find applications taken over by attacker
■ Log all relevant system events (e.g., file/device accesses)
■ Monitor shell commands and system calls executed by user applications and system
programs ■ Pay a price in performance if every system call is filtered
IgjJo ^JjJ^il I t^'/ajjUjJl 10^1 Jji^u]| ^l^j ^j^AJ ^)U]| ^A^J^il
) j j ^ ^ j J i ^IA ^)IA^.I j
^^Ijjj ^A^J^I^II ^/QJJUJ lA^jijj ^Jj shell j^ij! Ajiij^
g.loAJml j£ 4ji^aJ l^uJ IA] ^IA^I £iA
Problems:
■ User dependent: install/update IDS on all user machines!
■ If attacker takes over machine, can tamper with IDS binaries and modify audit logs
j Only local view of the attack
I^AVUHJI ojg^J JojDS ^JA^J/( Jl Jo AA!*J
^J^ajJ( ^jiAjJi JjA*JjjDS ^O^jJi Aj£^ji cjlg^Jl ^Jo ^/g^Jl ^JjJ^i IAJ
.^j^Vi ^l^j^llj ^AIJ^JI -«
. 4jjo ^JJI j/g^JJ oAljjJlj ojAl^aJl ^)Uljj]| ^laljJ
20. NETWORK IDS
oS+AJb O*l*JI ^Ijj^l <*bJI
Deploying sensors at strategic locations
■ For example, Packet sniffing via tcpdump at
routers
Inspecting network traffic
■ Watch for violations of protocols and unusual
connection patterns
■ Look into the packet payload for malicious code
Limitations
■ Cannot execute the payload or do any code
analysis !
■ Record and process huge amount of traffic
■ May be easily defeated by encryption, but can be
mitigated with encryption only at the gateway/proxy
Aj^JjIjJ“VI ^i jlxjl3“]VI j^j
tcpdump jjo ^j^JI 3 ‘‘‘'"'“’i tJ/J^JI Jjj“ ^-io
^Jo A^j^ ^^^i
jjo ^Uj jSjJjJjJl ^laIjJ
A^UJI
**
^l^jlxjJl jo A^j^JI AJJ^^ ^i ^I^JI
6jl^tiJl
^jJxJl
j^j^J] Jjl^j jj^j jl AJJ^^JI j^^j V jjj^JlA^j^
j^ AJJ/A AJ^£ 4^Il»^j “J jUj t jji^jJI jjjL jo
AJj^“j Ai^jjA j£^j Jj£jJI/AjIjjJI V'Q Wai
jji^jJlj Aa <aAJ
22. NETWORK BASED IDS
Internet Gateway routers
At the early stage of the worm, only limited worm samples.
Host based sensors can only cover limited IP space, which
has scalability issues. Thus they might not be able to
detect the worm in its early stage.
23. HOST-BASED VS. NETWORK-BASED IDS
Give an attack that can only be detected by host-based IDS but not network-based
IDS
Sample qn:
■ SQL injection attack
Can you give an example only be detected by network-based IDS but not host-based
IDS ?
IDS j^Jj _ aJ‘^Jl IDS jo VI 4ilA£l j^^j V ~J^A
qni^jo
SQLj*^
24. KEY METRICS OF IDS/IPS
Algorithm
■ Alarm: A; Intrusion:
■ Detection (true alarm) rate
■ False negative rate
■ False alarm (aka, false positive)
rate
■ True negative rate
Architecture
■ Throughput of NIDS, targeting 10s of
Gbps
■ E.g., 32 nsec for 40 byte TCP SYN
packet
■ Resilient to attacks
25. ALARM TRIGGERING MECHANISMS
Understanding Alarm Types:
Alarm Type Network Activity IPS Activity Outcome
False positive Normal user traffic Alarm generated Tune alarm
False negative Attack traffic No alarm generated Tune alarm
True positive Attack traffic Alarm generated Ideal setting
True negative Normal user traffic No alarm generated Ideal setting
26. QUESTIONS
2. An intrusion detection system did not notify the network administrator of
any threat in the network, but on a close inspection, the administrator found
that indeed there was malicious threats in the network. Which of the following
metric best describes the situation.
(a) True positive
(b) False negative
(c) True negative
(d) False positive
(e) None of the
above
31. ZERO-DAY ATTACKS
WHAT IS ZERO-DAY ATTACK?
A zero-day vulnerability is a network vulnerability that
is unknown before, or unaddressed by, those who
should be interested in mitigating the vulnerability.
Until the vulnerability is mitigated, hackers can
exploit it to adversely affect computer programs, data,
additional computers or a network
32. COUNTING ZERO-DAY ATTACKS
Network W Protocol
Tap W Classifier
TCP TCP TCP TCP UDP
25 53 80 137 1434
Honeynet/darknet
Statistical
detection
33. PROBLEMS WITH CURRENT IDS
1. Inaccuracy for exploit based signatures
2. Cannot recognize unknown anomalies/intrusions
3. Cannot provide quality info for forensics or situational-aware analysis
4. Hard to differentiate malicious events with unintentional anomalies
5. Anomalies can be caused by network element faults, e.g., router misconfiguration, link
failures, etc., or application (such as P2P) misconfiguration
6. Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size,
etc.