Transcript Intrusion Detection

Intrusion Detection
Dr. Gregory Vert
Intrusion Detection
• Definition:
– Detection of an attack
• While it is going on
• Shortly after it has occurred
Intrusion Detection
• Goal:
–
–
–
–
To thwart the attack
Conduct forensic investigation
Minimize damage
Learn how attack was conducted and improve
system security
Intrusion Detection
• General Theory behind ID
– Actions of normal system processes and users
conform to a pattern that can be defined
mathematically
– Users and processes are not trying to break the
system
– Users and processes have a set of defined
privileges and actions
Intrusion Detection
• In order to do intrusion detection build a system
that monitors for changes in the previous
assumptions
• Example
– 90 % of cpu usage occurs between 8-5pm
– Users don’t usually browse the password files
– More than 3 failed login attempts my be an attack
because users usually log in on the first time
Intrusion Detection
• Attack tools are
– How systems are usually attacked
– Are usually a piece of existing software
– Are generally automated
• Want volume in an attack
• Want to look at many computers and find a few that
are not secure
• Want the computer to do the bulk of the work on the
attack
Intrusion Detection
• Example of Attack Tool
– Root kits
•
•
•
•
Replace existing operating system file
Sniff passwords and network connections
Run with root privilege
E.g. ls, du, netstat, ifconfig (network device
configurations)
• Run concealed
• Allow access to the hacker through a back door
Intrusion Detection
• Denning
– Hypothesis that exploitation of vulnerabilities
requires abnormal use of existing commands
– Therefore look for abnormality in command
usage on system
– Key idea behind detection
Intrusion Detection
• Intrusion Detection Systems (IDS)
– An automated system that looks for abnormal
patterns in:
•
•
•
•
•
system commands,
usages
Volumes
Access to locations in system
Failures
Intrusion Detection
• An IDS must be automated because
– System logs contain tons and tons of
information
– Often looking for 5-20 abnormal changes in
5000 lines of data
– Slow attacks even worse to detect because
• Actions happen over extended period of times
• Logs don’t show adjacent sequences of activities
Intrusion Detection
• Good IDS has 4 characteristics (Bishop)
– Detects a wide variety of attacks
• Not as simple as it sounds
• How can you detect an attack if you don’t know
how it works and have never seen one before
• Class Ideas ?
Intrusion Detection
• Good IDS’s have 4 characteristics
– Detect attacks in timely fashion
• How fast is fast enough
• Discussion ?
• Real time systems may bog down processing
– Which is an attack in its own right
– A denial of service attack
Intrusion Detection
• Good ID’s have 4 characteristics
– Must present analysis in a clear simple format
• Problems:
• False Positives
– Thinks an attack is going on when it really is not
• False Negatives
– Does not think an attack is going on when it really is
Intrusion Detection
• Good ID’s have 4 characteristics
– Must be accurate
• The false X problem previous slide
– We only want to respond to the real stuff because:
• Time consuming
• May lead to actions that damage system without cause
• Draws resources away from dealing with a real attack that
could start as you are investigating
Intrusion Detection
• Three systems models for an IDS
– Anomaly detection
– Misuse detection
– Specification detection
• new
Intrusion Detection
• Anomaly detection
– Assumes that unexpected behavior is evidence
of an attack
– Compare set of variables and their values to a
known set of variables
– Tries to reason about an attack based on data
does not match
– Usually done with statistics but could be done
with other variable techniques also
Intrusion Detection
• Anomaly Detection
– Threshold approach
• When an variable(s) are above a certain level
determine an attack
• Example:
– number of failed logins for a given user id in 10 minutes
– disk usage
– # of packets on port x in time period n
Anomaly Detection
• Threshold approach problems
– Users have different skill levels
• Example an asian user of an english comptur system
• Class ?
– One threshold generally applied to all
– However approach can penalize new users by
locking them out of the system
Anomaly Detection
• Statistical Moment Approach
– Instead of setting a threshold, calculate:
• Average
• Means
• Standard deviations
– Look for deviations from these variable
Anomaly Detection
• Statistical Moment Approach
– Problems
• Data may change over time in unexpected ways
– New users
– Users become smarter
• Need to age data somehow to show how system is
changing
• How do we do this ?
• Generally a better system than thresholds
• May use an expert system (Haystack, IDES)
Anomaly Detection
• State Machine Model
– Series of events occur in regular sequences
– Certain events are more like to follow other events –
state transitions
– When a low probability transition occurs then it is
probably anomalous
– Draw: login, cd home dir -> open word processor
– Can be utilized in system calls: open, read, write, close
Anomaly Detection
• State Machine
– Problems
• Need to know the events and sequences ahead of
time
• Need training data
• System may change based on addition of new
software
• Can only be run on the computer from which the
training data is derived
Anomaly Detection
• What features and data variables to watch is
critical in the success of AD
• Frank demonstrated that selection of the “best”
features for a network activity classification
program could be based on eliminating features
based on the error rate they induce in classification
of activity
– He found that about 5 features was right for his study
Anomaly Detection
• Generally assumes a gaussian distribution
– A bell curve that shows what is normal
• Some systems may cluster data by related values
such as “read time” for a file and “cpu usage” for
the read
– Outliers – values that don’t fit into a cluster then can be
an attack
– Draw
Misuse Detection
• An attack by an insider who generally has
authorized access
• Is rule based
• Looks for sequences of commands that
knowing violate policy
• Example
Misuse Detection
• Rules are placed into a rule set
• Ids processes rules against system logs
looking for violations of the rules
• Often involve expert systems because rules
can be ambigous
Misuse Detection
• Cant detect attacks that are unknown
– the attacks sequence of rule violations is not
known
• Can enhance systems to make them
adaptive via petri nets
Misuse Detection
• IDIOT – Spafford, uses petri nets
• Defines
– events – a change in system state
• a record of the event
– transitions from one state to another on an event
– transitions may have tests (guards) that check for
existence of variables in certain states and / or make
assignments
– Can have separate transition branches that merge
– Draw
Misuse Detection
• IDIOT classified attacks by categories:
– existence – attack creates a file
– sequence – attack causes several events to
occur sequentially
– partial order – attack causes two or more
sequences of events that form an ordering over
time
– interval – two events occur exactly n units of
time apart
Misuse Detection
• IDIOT
– monitors audit trail logs
– STAT a similar system
•
•
•
•
Ilgun
No guards
uses state tables
looks at the sequence of command to e.g. get a
forbidden priveledge
Specification Modeling
• Misuse detection looks for states known to
be bad
• Specification modeling looks for states
known to not be good – a possible intrusion
• Builds specifications for how a program
should run
• Examines program for deviations from good
states
Specification Modeling
• Ko developed a specification based IDS
• Monitored 15 security related programs
• Monitored on things like:
–
–
–
–
object access
synchronization of data
sequences of commands
race conditions
Specification Modeling
• They looked at rdist (remote distribution)
• Rdist updates programs on remote systems
• Problem is that rdist modifies permissions
on files
– replacing a file with a symbolic link to another
file, can get rdist to change permissions on that
file
Specification Modeling
• SM
–
–
–
–
utilizes grammars to specify actions
grammars define acceptable activities
is a relatively new field
because it specifies what should happen
• unknown attacks can be detected
– Class drawbacks ?
Summary
• Misuse detection
–
–
–
–
detects violations of policy, implicit or explicit
need to develop rules, states, actions etc.
must have in a rule base
only detects attacks that are known
Summary
• Anomaly Detection
– detects policy violations also
– little more generalized than Misuse detection
– uses statistics to find deviations
Summary
• Specification Modeling
– must have rules for how a good program is
operating
– need experts to define rules
– can detect unknown attacks
Architecture
• IDS works off of audit trails
• Audit trails found in logs
• Best to collect log data from all over the
system due to distributed attacks
• Generally constructed in 3 subsystems
Architecture
• Agent
– an relatively autonomous piece of software that
collects data from a local machine
– may format the data
• why ?
– sends the data to a centralized system
– may weed data that is not deemed to be
important
Architecture
• Agents can be:
– host based
• utilize system and application logs
• may be security logs or accounting logs
• a virtual agent can be in the kernel and write data to
logs it finds interesting
• logs can be very large
Architecture
• Agents can be
– networked based
•
•
•
•
•
use devices and software to monitor network traffic
used to detect network based attacks
utilize sniffing
monitor contents of packets
must be arranged in a way to provide full network
coverage
• encipherment makes this task a problem
Architecture
• Agents send formatted information to the
director software
• Directors
–
–
–
–
eliminate unnecessary log entries
utilize an analysis engine to find attacks
usually are run on a separate system
adaptive directors may alter search rules (neural
network)
Architecture
• Notifier
– accepts information from the director and takes
appropriate action
– may notify a security officer via a gui
– may be proactive in combating an attack
Systems to Look At
• Courtney – monitors for use of SATAN
• SATAN – system for finding weaknesses in
Unix
• IDIP – coordinates IDS’s on firewalls to
block attacks
• NSM – develops profiles of system usage
and compares against profiles e.g. repeated
telnet connections of short duration
Systems to Look At
• DIDS – distributed IDS based on NSM and
works in conjunction with host based IDS’s
– NSM is network based only
• AAFID – autonomous agents that report
data, distributes components of IDS into
pieces
– eliminates a single point of failure, director is
distributed
Incident Response
• Ideally you want to
–
–
–
–
detect attack as it starts
take defensive measures
work automatically
can be very system resource intensive
• why ?
Incident Response
• Definition:
– Jailing
•
•
•
•
•
•
placing an attacker in a confined area of the system
letting them think that they are inside the system
allows one to observe the hacker
sometimes referred to as a honey pot
usually has a faked file system
may intercept system calls and do something
(kernel)
Incident Response
• Goal
– to restore system to comply with security policy
– replace / fix damaged resources
Incident Response
• Six phases:
– preparation
• procedures and methods for detection
• backups
– identification
• id the attack
• trigger for following phases
Incident Response
• Containment
– limits the damage as much as possible
– may not be possible if you have a real time
system
– attacks generally probe for a while and then do
damage
– you can get a chance to contain if you detect
probing
Incident Response
• Eradication
– stops attack if done in real time
– puts mechanisms in place to thwart other
attacks
• Recovery
– restores system to pre atttack configuration
– must detect what has been modified
Incident Response
• Response – Follow up
– taking action against the attacker
• forensic investigation
• counter attack
• law enforcement
– fixing holes in your system
– documentation of lessons learned
– documentation of attack details
Details
• Containment
– approaches
• passive monitoring
– meant to record actions for later use
– examine goals and techniques of hacker
– a honeypot
• constraining actions of hacker
– goal to prevent hacker from accomplishing aims
– problem, may not know what the goal is
Details
• Eradication
– goal to stop the attack
– must insure it does not resume immediately
– my block attacks by placing wrappers around a
suspected target
– wrappers control access
– want to embed wrappers in the kernel to make them
hard to bypass
– Example
Details
• Eradication
–
–
–
–
good to place wrappers at the firewall
firewalls filter network traffic
example
IDIP – intrusion detection and isolation
protocol
• are firewalls
• work to communicate directly with each other
• coordinate a response to an attack
Details
• Follow up
– most common is to follow up with legal action
– how to trace the attack for follow up
• thumb printing
–
–
–
–
–
monitor connections between any two host
check for similar content moving across the connections
method allows you to trace back to the source of the attack
hackers may move through multiple hosts before attacking
software needs to be small, effective and fast
Details
• Follow Up
– may use IP header marking
• examine and mark contents of headers to trace an
attack back to source
• don’t want to do this for every packet
• deterministic marking – marks every n packets using
an algorithm
• marking is done in extra bits that are not utilized in
ip headers
Details
• Follow Up
– counter attacking
• filing criminal complaints
– requires good chain of evidence to establish that attack
was real – not an accident or error
• technical attack
– goal is to damage their system
– problems
» may harm innocent parties
» may have side effects – denial of service
» may get you in trouble legally