Intrusion detection

1
INTRUSION DETECTION
ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection
Mr. RAJASEKAR RAMALINGAM
Department of IT, College of Applied
Sciences, Sur.
Sultanate of Oman.
http://vrrsekar.wixsite.com/raja
Based on
William Stallings, Lawrie Brown,
Computer Security: Principles and
Practice, Third Edition

CONTENT
8.1 Intruders
8.2 Classes of intruders
8.3 Examples of Intrusion
8.4 Security Intrusion & Detection
8.5 Intrusion Techniques
8.6 Intrusion Detection Systems
8.7 IDS Principles
8.8 IDS Requirements
8.9 Host-Based IDS
8.10 Network-Based IDS
8.11 Intrusion Detection Exchange Format
8.12 Honeypot
ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 2

8.1 INTRUDERS
• A significant security problem for networked systems is
unwanted trespass by users or software.
1) User trespass: Unauthorized logon to a machine,
acquisition of privileges or performance of actions
beyond those that have been authorized.
2) Software trespass: Form of a virus, worm, or Trojan
horse.

8.2 Classes of intruders:

8.3 Examples of Intrusion
• Remote root compromise
• Web server defacement
• Guessing / cracking passwords
• Copying viewing sensitive data / databases
• Running a packet sniffer
• Distributing pirated software
• Using an unsecured modem to access net
• Impersonating a user to reset password
• Using an unattended workstation

8.4 Security Intrusion & Detection
1) Security Intrusion
A security event, or combination of multiple security
events, that constitutes a security incident in which an
intruder gains, or attempts to gain, access to a system
(or system resource) without having authorization to
do so.
2) Intrusion Detection
A security service that monitors and analyzes system
events for the purpose of finding, and providing real-
time or near real-time warning of attempts to access
system resources in an unauthorized manner.

8.5 Intrusion Techniques
• Objective is to gain access to or increase privileges on
a system.
• Most initial attacks use system or software
vulnerabilities that allow a user to execute code
– To opens a back door into the system. E.g., buffer
overflow.
– To gain protected information. E.g., password.
• Intruder behavior patterns
– Hacker
– Criminal Enterprise
– Internal threat

8.5.1 Hackers
• Motivated by thrill of access and status
– Hacking community is a strong meritocracy.
– Status is determined by level of competence.
1
• Select the target using IP lookup tools such as NSLookup, Dig, and others
2
• Map network for accessible services using tools such as NMAP
3
• Identify potentially vulnerable services (in this case, pcAnywhere)
4
• Brute force (guess) pcAnywhere password
5
• Install remote administration tool called DameWare
6
• Wait for administrator to log on and capture his password
7
• Use that password to access remainder of network

8.5.2 Criminal Enterprise
• Organized groups of hackers now a threat
– Corporation / government / loosely affiliated gangs
– Typically young
– Common target is a credit cards on e-commerce server
Criminal Enterprise - Patterns of Behavior
Act quickly and precisely to make their activities harder
to detect
Exploit perimeter via vulnerable ports
Use Trojan horses (hidden software) to leave back
doors for re-entry
Use sniffers to capture passwords
Do not stick around until noticed

8.5.3 Insider Attacks
• Among most difficult to detect and prevent
• Employees have access & systems knowledge
Internal Threat - Patterns of Behavior
Create network
accounts for
themselves and
their friends
Access accounts
and applications
they wouldn't
normally use for
their daily jobs
E-mail former and
prospective
employers
Conduct furtive
instant-messaging
chats
Visit web sites that
cater to
disgruntled
employees, such as
f'dcompany.com
Perform large
downloads and file
copying
Access the
network during
off hours

8.6 Intrusion Detection Systems
• Classify intrusion detection systems (IDSs) as:
– Host-based IDS: monitor single host activity
– Network-based IDS: monitor network traffic
• Logical components:
– Sensors - collect data
– Analyzers - determine if intrusion has occurred
– User interface - manage / direct / view IDS

8.7 IDS Principles
• Assume intruder behavior differs from legitimate
users
– Expect overlap as shown
– Observe deviations
from past history
– Problems of:
• False positives
• False negatives
• Must compromise

8.8 IDS Requirements
run continually be fault tolerant resist subversion
impose a minimal
overhead on system
configured
according to system
security policies
adapt to changes in
systems and users
scale to monitor
large numbers of
systems
provide graceful
degradation of
service
allow dynamic
reconfiguration

8.9 Host-Based IDS
• Specialized software to monitor system activity to detect
suspicious behavior
– primary purpose is to detect intrusions, log suspicious
events, and send alerts
– can detect both external and internal intrusions
• Two approaches, often used in combination:
– anomaly detection - defines normal/expected behavior
• Threshold detection
• Profile based
– signature detection - defines proper behavior

8.9.1 Anomaly Detection
• Threshold detection
– Checks excessive event occurrences over time
– Alone a crude and ineffective intruder detector
– Must determine both thresholds and time intervals
• Profile based
– Characterize past behavior of users / groups
– Then detect significant deviations
– Based on analysis of audit records
• Gather metrics: counter, guage, interval timer, resource utilization
• Analyze: mean and standard deviation, multivariate, markov process,
time series, operational model

8.9.2 Signature Detection
• Observe events on system and applying a set of rules
to decide if intruder
• Approaches:
– Rule-based anomaly detection
• Analyze historical audit records for expected
behavior, then match with current behavior
– Rule-based penetration identification
• Rules identify known penetrations / weaknesses
• Often by analyzing attack scripts from Internet
• Supplemented with rules from security experts

8.10 Network-Based IDS
• Network-based IDS (NIDS)
– Monitor traffic at selected points on a network
– In (near) real time to detect intrusion patterns
– May examine network, transport and/or
application level protocol activity directed
toward systems
• Comprises a number of sensors
– Inline (possibly as part of other net device)
– Passive (monitors copy of traffic)

8.10.1 NIDS Sensor Deployment
• Inline sensor
• inserted into a network
segment so that the
traffic that it is
monitoring must pass
through the sensor
• Passive sensors
• monitors a copy of
network traffic

• Sensor placement:

8.10.2 NIDS - Intrusion Detection Techniques
• Signature detection
– At application, transport, network layers; unexpected
application services, policy violations
• Anomaly detection
– of denial of service attacks, scanning, worms
• When potential violation detected sensor sends an
alert and logs information
– Used by analysis module to refine intrusion detection
parameters and algorithms
– By security admin to improve protection

8.11 Intrusion Detection Exchange Format

8.12 Honeypot
• Decoy systems designed to:
– lure a potential attacker away from critical systems
– collect information about the attacker’s activity
– encourage the attacker to stay on the system long enough for administrators to
respond
• filled with fabricated information that a legitimate user of the system
wouldn’t access
• resource that has no production value
– incoming communication is most likely a probe, scan, or attack
– outbound communication suggests that the system has probably been
compromised
• once hackers are within the network, administrators can observe
their behavior to figure out defensesITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 22

Honeypot Classifications
• Low interaction honeypot
– Consists of a software package that emulates particular
IT services or systems well enough to provide a
realistic initial interaction,
• but does not execute a full version of those services
or systems
– Provides a less realistic target
– Often sufficient for use as a component of a distributed
IDS to warn of imminent attack

• High interaction honeypot
– A real system, with a full operating system, services and
applications,
• which are instrumented and deployed where they can be
accessed by attackers
– Is a more realistic target that may occupy an attacker for an
extended period
– However, it requires significantly more resources
– If compromised could be used to initiate attacks on other
systems

Honeypot Deployment

Intrusion detection

More Related Content

What's hot

Similar to Intrusion detection

More from CAS

Recently uploaded

Intrusion detection