Intrusion Detection Systems (IDS) John Kristoff jtk@depaul.edu +1 - - PowerPoint PPT Presentation

intrusion detection systems ids
SMART_READER_LITE
LIVE PREVIEW

Intrusion Detection Systems (IDS) John Kristoff jtk@depaul.edu +1 - - PowerPoint PPT Presentation

Dec 05, 2022 15 likes •158 views

Intrusion Detection Systems (IDS) John Kristoff jtk@depaul.edu +1 312 3625878 DePaul University Chicago, IL 60604 IDS Colloquium 2001 John Kristoff DePaul University 1 Why IDS? Interesting, but immature

slide-1
SLIDE 1

IDS Colloquium 2001 John Kristoff − DePaul University 1

Intrusion Detection Systems (IDS)

John Kristoff jtk@depaul.edu +1 312 362−5878 DePaul University Chicago, IL 60604

slide-2
SLIDE 2

IDS Colloquium 2001 John Kristoff − DePaul University 2

Why IDS?

  • Interesting, but immature technology
  • Provides lots of data/information
  • Generally doesn’t interfere with

communications

  • Anything that improves security...
slide-3
SLIDE 3

IDS Colloquium 2001 John Kristoff − DePaul University 3

What is IDS?

  • Ideally, immediately identifies successful attacks
  • Should have a immediate notification system

Out−of−band from the attack if possible

  • Probably can also monitor attack attempts too
  • Might have attack diagnosis, recommendation

and/or automated attack mitigation response

  • Lofty goals:

0% false positive rate

0% false negative rate

slide-4
SLIDE 4

IDS Colloquium 2001 John Kristoff − DePaul University 4

Privacy issues

  • Does an IDS violate privacy?

Are packet headers (protocols) private?

Is identification (an address) private?

Are packet contents private (payload)?

Are communications (flows/sessions) private?

  • Where is the IDS?
  • Who manages the IDS?
  • How is the IDS data handled and managed?
slide-5
SLIDE 5

IDS Colloquium 2001 John Kristoff − DePaul University 5

Storage, mining and presentation

  • IDSs can collect LOTS of information
  • What is useful data?
  • What are you looking for?
  • Data correlation within/outside of the IDS?
  • What does the admin see?
  • Where and for how long do you keep data?
  • How do you secure access to IDS data?
slide-6
SLIDE 6

IDS Colloquium 2001 John Kristoff − DePaul University 6

Host IDS

  • An integral part of an end−system

System log monitor

Kernel level packet monitor

Application specific

  • A very good place to put security
  • Distributed management issues
  • Not all end systems will support an IDS
  • Will be as useful as the end user is cluefull
slide-7
SLIDE 7

IDS Colloquium 2001 John Kristoff − DePaul University 7

Network IDS

  • An add−on to the communications system
  • Generally passive and invisible to the ends
  • May see things a host IDS cannot easily see

Fragmentation, other host attacks (correlation)

  • May not understand network traffic

Unknown protocols/applications, encryption

  • May miss things that don’t cross its boundary
slide-8
SLIDE 8

IDS Colloquium 2001 John Kristoff − DePaul University 8

Anomaly detection

  • A form of artificial intelligence
  • Learn what is normal for a network/system
  • If an event is not normal, generate alert
  • May catch new attacks not seen before
  • For a simple, but effective example see:

Detecting Backdoors, Y. Zhang and V. Paxson, 9th USENIX Security Symposium

  • An area of active research
slide-9
SLIDE 9

IDS Colloquium 2001 John Kristoff − DePaul University 9

Signature matching

  • Know what an attack looks like and look for it
  • Very easy to implement
  • Low false positive rate
  • Most current IDSs are of this type
  • Easy to fool
  • Signatures must be added/updated regularly
slide-10
SLIDE 10

IDS Colloquium 2001 John Kristoff − DePaul University 10

Honeypots

  • A system that welcomes attacks

Unbeknownst to the attacker generally

  • The system is very closely monitored
  • Can be used to test new technology/systems
  • Generally educational in nature
  • Helpful as trend monitor for that system type
  • Be careful honeypot doesn’t become liability
slide-11
SLIDE 11

IDS Colloquium 2001 John Kristoff − DePaul University 11

Possible IDS failure modes

  • Fragmentation, state and high−speeds

Requires lots of CPU, memory and bandwidth

  • Inability to decode message/transaction

t^Hrr^Hm56^H^H //^H −u^Hrf

  • Background noise
  • Tunnelling/encryption
  • IDS path evasion
  • Stupid user tricks
slide-12
SLIDE 12

IDS Colloquium 2001 John Kristoff − DePaul University 12

The poor man’s Network IDS

  • Setup a router subnet and unix host
  • Block all outgoing/incoming packets

access−list 100 deny ip any any log

  • Log packets (filter matches) with syslog
  • Use perl/grep/uniq/... to build simple reports

Total violations: 468

Top source host: badguy.org

Top dest. TCP port: 21 (ftp)

slide-13
SLIDE 13

IDS Colloquium 2001 John Kristoff − DePaul University 13

The poor man’s host IDS

  • Use snort (http://www.snort.org) or...
  • Turn on all logging and do log reporting
  • Install fake service and monitor

tcp_wrappers, back officer friendly

  • Use diff (or equivalent), monitor file changes

Keep copies of data/configs elsewhere

  • Use Tripwire or equivalent
slide-14
SLIDE 14

IDS Colloquium 2001 John Kristoff − DePaul University 14

References

  • Network Intrusion Detection, An Analyst’s

Handbook, by Stephen Northcutt

  • http://www.cerias.purdue.edu
  • http://www.usenix.org
  • ids−request@uow.edu.au in body put "help"
  • http://www.research.att.com/~smb/
  • http://www.cert.org
  • http://networks.depaul.edu