What does an IDS Detect?• Attacks against a specific service, such as File Transfer Protocol (FTP)• Data driven attacks at the application layer. For example, SQL injection error could be used to crash an application.
What Does and IDS Detect?• Host Based Attacks (privilege escalation)• Malware, Viruses, Trojan Horses, Worms
IDS Components• Sensors - Generate security events such as log files• Console – Monitors events, alerts and controls sensors• Engine – Analyzes the data using artificial intelligence to generate alerts from the events received• 3 in 1 (sometimes all three are in one appliance)
Types of Intrusion Detection Systems• Network Based Intrusion Detection System (NDS)• Protocol Based Intrusion Detection System (PIDS)• Application Protocol Based Intrusion Detection System (APIDS)• Host Based Intrusion Detection System (HIDS)• Hybrid System
Network Intrusion Detection System• Is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. An example of a NIDS is Snort.
Protocol Based Intrusion Detection System• Consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system).
Application Protocol Based Intrusion Detection System• Consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example; in a web server with database this would monitor the SQL protocol specific to the middleware/business-login as it transacts with the database.
Host Based Intrusion Detection System• Consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC
Passive vs. Reactive IDS• In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner
Passive vs. Reactive IDS• In a reactive system, also known as an Intrusion Prevention System (IPS), the IDS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source.
How Is A Firewall Different from and IDS?• Firewalls look outwardly and protect from external attacks• An IDS evaluates a suspected intrusion once it has taken place and signals an alarm.• An IDS also watches for attacks that originate from within a system.
Firewall vs. IDS• This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators
IDS Evasion Techniques• Bypass detection by creating unrecognized states on the IDS and on the targeted computer. The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.
Obfuscating Attack Payload• Encoding the attack payload in a way that the target computer will reverse but the IDS will not. In the past, an adversary using the Unicode character could encode attack packets that an IDS would not recognize but that an IIS web server would decode and become attacked.
Obfuscating Attack Payload• Speaking French to a bilingual computer, while the IDS only speaks English
Polymorphic Code• Is another means to circumvent signature- based IDS by creating unique attack patterns, so that the attack does not have a single detectable signature.
Using HTTPS to Obfuscate• Attacks on encrypted protocols such as HTTPS are obfuscated if the attack is encrypted.
Fragmentation and Small Packets• One basic technique is to split the attack payload into multiple small packets• The IDS must reassemble the packet stream to detect the attack.
Fragmentation Continued• By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection.• One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does
Protocol Violations• Some IDS evasion techniques involve deliberately violating the TCP or IP protocols in a way the target computer will handle differently than the IDS. For example, the TCP Urgent Pointer is handled differently on different operating systems and may not be handled correctly by the IDS.
Denial of Service• An adversary can evade detection by disabling or overwhelming the IDS. This can be accomplished by exploiting a bug in the IDS, using up computational resources on the IDS, or deliberately triggering a large number of alerts to disguise the actual attack.
Inserting Traffic at the IDS• An adversary can send packets that the IDS will see but the target computer will not. For example, the attacker could send packets whose Time to live fields have been crafted to reach the IDS but not the target computers it protects. This technique will result in an IDS with different state than the target.
Intrusion Prevention Goes One Step Further than IDS• An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities.
Unified Threat Management (UTM)• Next generation devices• Firewall• Virus Scanning• Content Filtering• VPN• Anti-Spam• Intrusion Detection and Prevention
How IDS and IPS Differ• Intrusion Prevention systems are designed to sit inline with traffic flows and prevent attacks in real-time• In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP
Rate Based IPS• RBIPS can identify abnormal rates for certain types of traffic• Connections per second• Packets per connection• Packets to specific ports etc.• Attacks are detected when thresholds are exceeded.• The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics.
Host-based vs. Network IPS• Benefit of HIPS• HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host.
Host-based vs. Network IPS• Benefit of NIPS• NIPS does not use processor and memory on computer hosts but uses its own CPU and memory.
Host-based vs. Network IPS• NIPS drawback AND benefit, depending on how you look at it• NIPS is a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain.• Use failover or load balancing to combat this NIPS disadvantage
Host-based vs. Network IPS• NIPS can detect events scattered over the network (e.g. low level event targeting many different hosts, like a worm) and can react• With a HIPS, only the host’s data itself is available to take a decision• It would take too much time to report it to a central decision making engine and report back to block.
Some IDS and IPS Movies• Cisco Sensor• Cisco IDS/IPS Overview• Snort With Add On Tools