Intrusion Detection Distributed Host-Based Network-Based ITS335: - - PowerPoint PPT Presentation

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

1/30

Intrusion Detection

ITS335: IT Security

Sirindhorn International Institute of Technology Thammasat University

Prepared by Steven Gordon on 25 October 2013 its335y13s2l07, Steve/Courses/2013/s2/its335/lectures/intrusion.tex, r2958

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

2/30

Intruders and Intrusion Detection

◮ Attacks will occur ◮ Successful attacks allow intruders to gain unauthorised

access to resources

◮ Often cheaper to prevent some attacks and detect the

rest

◮ Intrusion Detection Systems (IDS) aim to detect attacks ◮ Monitor and analyse system events to find, log and

warn of intrusions

◮ Response from a detected attack may be technical or

legal

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

3/30

Contents

Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

4/30

Types of Intruders

Masquerader someone who is not authorised to use system and penetrates access controls to exploit a legitimate user’s account; outsider Misfeasor legitimate user who accesses resources they are not authorised to, or misuses privileges; insider Clandestine user takes administrator control of system and uses it to evade detection and access controls; insider

• r outside

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

5/30

Examples of Intrusion

◮ Remote root/administrator compromise of server ◮ Defacing a web server ◮ Guessing/obtaining passwords ◮ Copying databases containing private information, e.g.

credit card numbers

◮ Viewing sensitive data, e.g. payroll records, medical

information

◮ Capturing network packets to obtain usernames and

passwords

◮ Using computer resources to distribute

inappropriate/illegal material

◮ Posing as other people (e.g. executive, help-desk) to

gain passwords

◮ Using unattended, logged-in computer without

permission

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

6/30

Intruder Behaviour

Cracker

◮ Motivated by thrill of access and/or status ◮ Look for open targets; may share information with

• thers

◮ Use security flaws in software to gain access ◮ IDS and IPS are very useful

Criminal Enterprise

◮ Motivated by financial reward and/or political/religious

ideologies

◮ Corporations, government funded, gangs ◮ Specific targets; avoid publicity ◮ Use security flaws and social engineering to gain access ◮ IDS and IPS are useful

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

7/30

Intruder Behaviour

Internal Threat

◮ Motivated by revenge and/or entitlement ◮ Have access to system; difficult to detect ◮ Internal security mechanisms are useful: least privilege,

strong authentication, log and auditing, employee termination policies

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

8/30

Intrusion Techniques

Aim: gain access to system or increase privileges on system

Exploit flaws in software

◮ Bugs in software that allow execution of code by

intruder

◮ Solution: keep track of vulnerabilities (CERT); regular

software updates

Acquire protected information

◮ Passwords guessing or cracking ◮ Social engineering attacks ◮ Solution: appropriate technologies, policies and

education for confidential information

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

9/30

Contents

Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

10/30

Intrusion Detection Systems

Types

Host-based monitor characteristics of a single computer Distributed host-based monitor characteristics on set of computers, with central module detecting intrusions Network-based monitor network traffic to identify suspicious activity

Common Components

Sensors collect data, e.g. packets, log files, system call traces Analysers received collected data, analyse it and determine if intrusion User Interface allow user to view output and control behaviour of IDS

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

11/30

IDS Principles

Assume intruder behaviour is different from that of legitimate users

Credit: Figure 8.1 in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012

False positives: legitimate user identified as intruder False negative: intruder not identified

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

12/30

IDS Requirements

◮ Run continually with minimal human supervision ◮ Recover from system restart/crashes ◮ Monitor itself and detect attacks on itself ◮ Impose minimal overhead on system ◮ Configurable according to system security policies ◮ Adapt to system and user behaviour changes over time ◮ Scale to monitor large number of hosts ◮ Still (partially) work if some components stop working

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

13/30

Contents

Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

14/30

Host-Based IDS

◮ Special layer of software to protect vulnerable systems ◮ Primary purpose: detect intrusions, log suspicious

events, send alerts

◮ May be able to stop attacks if detected early ◮ Can detect both internal and external attacks

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

15/30

Anomaly vs Signature Detection

Anomaly Detection

◮ Compare observed behaviour against previously

collected normal behaviour

◮ Threshold detection: thresholds based on frequency of

• ccurrence of events, independent of user

◮ Profile-based: profiles of users created and compared

against

Signature Detection

◮ Define behaviour or attacks by set of rules or patterns;

compare observed behaviour against rules/patterns

◮ Rule-based anomaly detection: define rules based on

past observed normal behaviour

◮ Rule-based penetration identification: define rules based

• n attacks

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

16/30

Audit Records

Native

◮ Most operating systems have logs of software and user

activity

◮ Advantage: no additional collection software needed ◮ Disadvantage: information may not contain all needed

information or in inconvenient form

Detection-specific

◮ Records generated specifically for IDS ◮ Advantage: may work on different systems ◮ Disadvantage: extra overhead in collecting information

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

17/30

Example Measures for Intrusion Detection

Login and Session Activity Measure Type of Intrusion Detected Login frequency by day and time Intruders may be likely to log in during off hours Frequency of login at different Intruders may log in from a location that a particular user never locations uses Time since last login Break-in on a “dead” account Elapsed time per sessions Significant deviations might indicate masquerader Quantity of output to location Excessive amounts of data transmitted to remote locations could signify leakage of sensitive data Session resource utilisation Unusual processor or I/O levels could signal intruder Password failures at login Attempted break-in by password guessing Failures to login from specified Attempted break-in terminals Command or Program Execution Activity Execution frequency Detect intruders based on their use of different commands Program resource utilisation Increased processor utilisation or I/O may indicate virus/Trojan Execution denials May detect attempt by user seeking higher privileges File Access Activity Read, write, create, delete frequency Abnormal values may indicate masquerading Records read, written Abnormal values may indicate attempt to obtain sensitive data Failure count for read, write May detect users who persistently attempt to access create, delete unauthorised files

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

18/30

Contents

Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

19/30

Distributed Host-Based Intrusion Detection

◮ Host-based IDS on multiple computers with an

• rganisation LAN or internetwork

◮ Host agent collect and analyse audit records on

individual hosts

◮ LAN monitor agent analyses LAN traffic ◮ Host and LAN monitor agents send alerts to central

manager

◮ Central manager combines data to detect intrusion; may

request data from specific hosts

◮ Issues:

◮ Deal with different audit record formats ◮ Data transmitted over network by agents must be

secured

◮ With central architecture, single point of failure ◮ With distributed architecture, complex coordination

involved

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

20/30

Architecture for Distributed Intrusion Detection

Credit: Figure 8.2 in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

21/30

Contents

Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

22/30

Network-Based Intrusion Detection (NIDS)

◮ Monitor traffic at selected points on network using

sensors

◮ Analyse traffic to detect intrusion patterns (either at

sensors or management server)

◮ Example packets at close to real time ◮ Inline sensor:

◮ Inserted into network; analyses traffic as passes through

sensor

◮ Runs as software on existing switch, router or firewall;

no extra hardware needed

◮ Can prevent an attack as soon as detected

◮ Passive sensor:

◮ Monitors copy of traffic ◮ Extra device that receives copy of traffic, e.g. switch

port mirroring

◮ Minimal impact on performance of traffic

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

23/30

Example of Network Intrusion Detection System

Credit: Figure 8.5 in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

24/30

Contents

Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

25/30

Honeypots

◮ Decoy systems designed to:

◮ Lure a potential attacker away from critical systems ◮ Collect information about the attacker’s activity ◮ Encourage the attacker to stay on the system long

enough for administrators to respond

◮ Filled with fabricated information that a legitimate user

• f the system wouldn’t access

◮ Resource that has no production value

◮ Incoming communication is most likely a probe, scan, or

attack

◮ Outbound communication suggests that the system has

probably been compromised

◮ once intruders are within the network, administrators

can observe their behaviour to figure out defences

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

26/30

Example of Honeypot Deployment

Credit: Figure 8.8 in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

27/30

Contents

Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

28/30

Key Points

◮ Intruders may be insider or outsider ◮ Aim of intruder: gain access to system or increase

privileges on system

◮ Exploit flaws in software, acquire protected information ◮ Intrusion detection: distinguish normal behaviour from

behaviour of intruder

◮ Look for anomalies or patterns ◮ Collect data from one or more hosts, or network devices

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

29/30

Security Issues

◮ Hard to achieve optimal trade-off:

◮ High false positives: Denial of Service ◮ High false negatives: security of system compromised

◮ Attackers constantly changing approach to evade

detection

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary

30/30

Areas To Explore

◮ Intrusion Prevention Systems ◮ Legality of intrusions and honeypots ◮ Techniques and algorithms for defining

normal/abnormal behaviour