network intrusion detection capabilities limitations
play

Network Intrusion Detection: Capabilities & Limitations Vern - PowerPoint PPT Presentation

Dec 23, 2023 •165 likes •566 views

Network Intrusion Detection: Capabilities & Limitations Vern Paxson International Computer Science Institute Lawrence Berkeley National Laboratory vern@icsi.berkeley.edu November 16, 2005 Outline ! What problem are we trying to solve? !

  1. Network Intrusion Detection: Capabilities & Limitations Vern Paxson International Computer Science Institute Lawrence Berkeley National Laboratory vern@icsi.berkeley.edu November 16, 2005

  2. Outline ! What problem are we trying to solve? ! Why network intrusion detection? Why not? ! Styles of approaches. ! Architecture of a network intrusion detection system (NIDS). ! The fundamental problem of evasion. ! Detecting activity : scanners, stepping stones. 2

  3. What Problem Are We Trying To Solve? ! A crucial basic question is What is your threat model? " What are you trying to protect? " Using what sort of resources? " Against what sort of adversary who has what sort of goals & capabilities? ! It’s all about shades of grey, policy decisions, limited expenditure, risk management 3

  4. Types of Threats ! In general, two types of threats: insider and outsider . 4

  5. Types of Threats ! In general, two types of threats: insider and outsider . ! Insider threat: " Hard to detect ⇒ hard to quantify " Can be really damaging " In many contexts, apparent prevalence: rare 5

  6. Types of Threats ! In general, two types of threats: insider and outsider . ! Insider threat: " Hard to detect ⇒ hard to quantify " Can be really damaging " In many contexts, apparent prevalence: rare ! Outsider threat: " Attacks from over the Internet: ubiquitous . " Internet sites are incessantly probed: ! Background radiation : on average, Internet hosts are probed every 90 sec " Medium-size site: 10,000’s of remote scanners each day. ! What do they scan for? A wide and changing set of services/vulnerabilities, attacked via “auto-rooters” or worms . " Increasingly, not just “over the Internet”: ! Laptops, home machines erode notion of “perimeter” 6

  7. What Are They After? ! Short answer: Not Us. " Most attacks are not targeted. ! They seek bragging rights: " E.g., via IRC or Web page defacement ! They seek zombies for: " DDOS slaves " Spamming " Bots-for-sale " Finding more targets ! They seek more of themselves (worms). ! Most don’t cause damage beyond cleanup costs. ! But: this is changing with the commercialization of malware 7

  8. What can you learn watching a network link? ! Far and away, most traffic travels across the Internet unencrypted. ! Communication is layered with higher layers corresponding to greater semantic content. ! The entire communication between two hosts can be reassembled: individual packets (e.g., TCP/IP headers), application connections (TCP byte streams), user sessions (Web surfing). ! You can do this in real-time. 8

  9. Tapping links, con’t: ! Appealing because it’s cheap and gives broad coverage. ! You can have multiple boxes watching the same traffic. ! Generally (not always) undetectable. ! Can also provide insight into a site’s general network use. 9

  10. Problems with passive monitoring ! Reactive, not proactive " However, this is changing w/ intrusion prevention systems ! Assumes network-oriented (often “external”) threat model. ! For high-speed links, monitor may not keep up. " Accordingly, monitors often rely on filtering. " Very high speed: beyond state-of-the-art. ! Depending on “vantage point”, sometimes you see only one side of a conversation (especially inside backbone). ! Against a skilled opponent, there is a fundamental problem of evasion: confusing / manipulating the monitor. 10

  11. Styles of intrusion detection — Signature-based ! Core idea: look for specific, known attacks. ! Example: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established content:"|eb2f 5feb 4a5e 89fb 893e 89f2|" msg:"EXPLOIT x86 linux samba overflow" reference:bugtraq,1816 reference:cve,CVE-1999-0811 classtype:attempted-admin 11

  12. Signature-based, con’t: ! Can be at different semantic layers, e.g.: IP/TCP header fields; packet payload; URLs. ! Pro: good attack libraries, easy to understand results. ! Con: unable to detect new attacks, or even just variants. 12

  13. Styles of intrusion detection — Anomaly-detection ! Core idea: attacks are peculiar . ! Approach: build/infer a profile of “normal” use, flag deviations. ! Example: “user joe only logs in from host A, usually at night.” ! Note: works best for narrowly-defined entities " Though sometimes there’s a sweet spot, e.g., content sifting or scan detection ! Pro: potentially detects wide range of attacks, including novel. ! Con: potentially misses wide range of attacks, including known. ! Con: can potentially be “trained” to accept attacks as normal. 13

  14. Styles of intrusion detection — Specification -based ! Core idea: codify a specification of what a site’s policy permits; look for patterns of activity that deviate. ! Example: “user joe is only allowed to log in from host A.” ! Pro: potentially detects wide range of attacks, including novel. ! Pro: framework can accommodate signatures, anomalies. ! Pro: directly supports implementing a site’s policy. ! Con: policies/specifications require significant development & maintenance. ! Con: hard to construct attack libraries. 14

  15. Some general considerations about the problem space ! Security is about policy . ! The goal is risk management, not bulletproof protection. ! All intrusion detection systems suffer from the twin problems of false positives and false negatives . ! These are not minor, but an Achilles heel. ! Scaling works against us: as the volume of monitored traffic grows, so does its diversity. ! Much of the state of the art is at the level of car alarms " Sure, for many attackers, particularly unskilled ones, they go off … " … but they also go off inadvertently a whole lot too 15

  16. General NIDS Structure ! Taps link passively, sends up a copy of Network all network traffic. 16

  17. General NIDS Structure Filtered Packet Stream ! Reduces high-volume stream via static Pre-Filter filter to subset of main interest Packet Stream Network 17

  18. General NIDS Structure Event Stream ! Distills filtered stream into high-level, Decoder policy-neutral elements reflecting underlying network activity Filtered Packet E.g., connection attempt, Web request, user logged in " Stream Pre-Filter Packet Stream Network 18

  19. General NIDS Structure Real-time Notification Record To Disk ! Detection logic processes event stream, Detection incorporates: Context from past analysis " Event Site’s particular policies " Stream Event Engine Decoder Filtered Packet Stream Pre-Filter Packet Stream Network 19

  20. General NIDS Structure Real-time Notification Record To Disk ! Detection logic processes event stream, Detection incorporates: Context from past analysis " Event Site’s particular policies " Stream Event Engine Decoder … and takes action : Records forensic information to disk Filtered Packet Generates alarms Stream Executes response Pre-Filter Packet Stream Network 20

  21. A Stitch in Time: Prevention instead of Detection ! Big win to not just detect an attack, but block it ! However: Big lose to block legitimate traffic ! Mechanisms: " NIDS spoofs connection tear-down/denial messages " NIDS contacts firewall/router, requests block (race condition) " NIDS is in-line and itself drops offending traffic (no race, but performance and robustness issues) ! Increasing trend in industry … ! … but requires highly accurate algorithms 21

  22. The Problem of Evasion ! Consider the following attack URL: http://…./c/winnt/system32/cmd.exe?/c+dir ! Easy enough to scan for (say, “cmd.exe”), right? 22

  23. The Problem of Evasion ! Consider the following attack URL: http://…./c/winnt/system32/cmd.exe?/c+dir ! Easy enough to scan for (say, “cmd.exe”), right? ! But what about http://…./c/winnt/system32/cm%64.exe?/c+dir 23

  24. The Problem of Evasion ! Consider the following attack URL: http://…./c/winnt/system32/cmd.exe?/c+dir ! Easy enough to scan for (say, “cmd.exe”), right? ! But what about http://…./c/winnt/system32/cm%64.exe?/c+dir ! Okay, we need to handle % escapes. 24

  25. The Problem of Evasion ! Consider the following attack URL: http://…./c/winnt/system32/cmd.exe?/c+dir ! Easy enough to scan for (say, “cmd.exe”), right? ! But what about http://…./c/winnt/system32/cm%64.exe?/c+dir ! Okay, we need to handle % escapes. ! But what about http://…./c/winnt/system32/cm%25%54%52.exe?/c+dir ! Oops. Will recipient double-expand escapes … or not? 25

  26. The Problem of Evasion , con’t ! More generally, consider passive measurement : scanning traffic for a particular string (“ USER r t ”) oo 26

  27. The Problem of Evasion , con’t ! More generally, consider passive measurement : scanning traffic for a particular string (“ USER r t ”) oo ! Easiest: scan for the text in each packet " No good: text might be split across multiple packets 27

  28. The Problem of Evasion , con’t ! More generally, consider passive measurement : scanning traffic for a particular string (“ USER r t ”) oo ! Easiest: scan for the text in each packet " No good: text might be split across multiple packets ! Okay, remember text from previous packet " No good: out-of-order delivery 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy

Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy

Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy School of Engineering, University of Warwick, UK Introduction Mainstream approaches in intrusion detection do not scale well to the embedded

936 views • 7 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some Definition Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and

814 views • 29 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements intermission Introduction to Computer Security Middlebox, malware, anonymity combined slides Denial of service and the network Anonymous communications

253 views • 11 slides
How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix Erlacher , Falko Dressler Network Intrusion Detection Systems (NIDS) Analyze network traffjc for malicous activity Felix Erlacher: How to Test an

671 views • 37 slides
Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 , Eugen Staab 3 , Volker Fusenig 3 , Michal Pechoucek 1,2 , Martin Grill 1 , Jan Stiborek 1 , and Karel Bartos 1 ( 1 ) Czech Technical University in

419 views • 24 slides
Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991

Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991

Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991 Cyber Security Prac6ce 1 Firewall & IDS Firewall A device or applica6on that analyzes packet headers and enforces policy based on

365 views • 20 slides
Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer Security Announcements intermission Day 22: Malware and Denial of Service Stephen McCamant Denial of service and the network University of

684 views • 10 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands June 21, 2018 Outline 1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection 2 / 22 Rotating S-box Masking

540 views • 22 slides
Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An

Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An

1 Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An optional recitation at 4:30-5:30pm on Wed (in CBC 104A) Due: Lab03 (stack overflow) on Sept 21 at midnight NSA Codebreaker Challenge

423 views • 20 slides
TAXONOMY AND CHALLENGES IN MACHINE LEARNING-BASED APPROACHES TO DETECT ATTACKS IN THE INTERNET

TAXONOMY AND CHALLENGES IN MACHINE LEARNING-BASED APPROACHES TO DETECT ATTACKS IN THE INTERNET

The 15th International Conference on Availability, Reliability and Security (ARES 2020) August 25 to August 28, 2020 in Dublin, Ireland ID-86 workshop paper (IoT-SECFOR) TAXONOMY AND CHALLENGES IN MACHINE LEARNING-BASED APPROACHES TO DETECT

583 views • 13 slides

More recommend