Transcript Intrusion Detection - University of Sunderland

Intrusion Detection
CSEM02
University of Sunderland
Harry R. Erwin, PhD
Resources
• B. Schneier, 2000, Secrets and Lies, Wiley, ISBN:
0-471-25311-1.
• E. Amoroso, 1999, Intrusion Detection,
Intrusion.net, ISBN: 0-9666700-7-8
• R. G. Bace, 2000, Intrusion Detection, Macmillan
Technical Publishing, ISBN: 1-57870-185-6
• We will mostly follow Schneier in this lecture.
Intrusion Detection Systems
(IDS)
• Network Monitors—watch your network looking
for suspicious behavior
• Often but not always based on Audit
• Provide reactive rather than proactive security
• Alert on successful and ongoing attacks
• Need to be accurate in detecting attacks and in
determining that an attack is not underway.
• Also may provide diagnosis tools.
The False Alarm Problem
• Base rate fallacy—suppose you have a test
that is 99% accurate. Is this good?
Not necessarily!
• Suppose the real attack rate is 1x10-6. This
test will generate 10,000 false positives for
every real attack it detects. (Work it out…)
• If network attacks are rare, a test has to be
powerful to be useful.
The Timely Notification Problem
• You may want to be warned in time to do
something, but…
• What about slow attacks? When should the
IDS become suspicious and tell you?
• What about ambiguous evidence? Do you
want to be warned about borderline cases?
The Response Problem
• What do you do if you do hear an alarm? I.e., the
problem with giving out general warnings of
terrorist activity.
• Options include:
–
–
–
–
Wait
Collect more information
Do something
Hope it goes away
• You may be too busy fighting alligators to do
anything intelligent about draining the swamp.
Approaches to Building an IDS
• Misuse detection
– IDS knows what an attack looks like and looks
for it.
– “Network virus scanner”
– Fast, easy to build, has a low false positive rate.
– Misses a lot and is easy to fool.
– Probably will get better over time.
Approaches to Building an IDS
(II)
• Anomaly detection
– Generates a statistical or neural network model
of the network to figure out what is normal
– Sounds an alarm for abnormal activity
– Uses AI:
• Bayesian statistics
• Neural networks
• Expert systems
Problems with Anomaly
Detection
• Does the training data include an attack? Then
hacking will be considered normal. 8(
• New things happen on networks all the time.
Successful retraining of an existing AI system to
handle this is a hard problem, worth a PhD. 8(
• How can it categorize attacks? That requires
expert input. 8(
• False positives are much higher. 8(
• Attack indicators are brittle, so that hackers can
sneak past them. 8(
Inline versus Audit-Based IDS
• Should the IDS detect attacks in real-time or
using audit log processing?
–
–
–
–
–
Inline will have incomplete data.
Inline is also computationally expensive.
Audit log processing is after the fact.
Audit log formats vary quite a bit.
A combined approach is feasible, but costly.
Host-Based versus NetworkBased IDS
• Network-based IDS is basically wiretapping
– Stealthy
– Operating-system independent
• Host-based IDS uses audit logs
– From workstations, servers, switches, routers,
etc.
– Product-specific.
Make or Buy
• Do your own monitoring or pay someone
else?
–
–
–
–
Counterpane
Qinetiq
Other vendors important, too.
SRM is a local company that does this.
• Trust issues particularly important.
• Inhouse expertise requirement.
Honey Pots and Burglar Alarms
• Burglar alarms are resources on the network that
generate an alarm if accessed incorrectly.
• Honey pots are burglar alarms dressed up to look
attractive. May incorporate subnetworks and dummy
computers.
– Costly
– Have to look real to the attackers
– Legality important. Entrapment may be an issue, so
intruders must be warned.
• Read http://csrc.nist.gov/publications/secpubs/berferd.ps
• See also
http://www.strategypage.com/fyeo/howtomakewar/default.asp?target=HTIW.HTM
Incident Handling Issues
•
•
•
•
•
•
•
Be prepared
Have procedures
Don’t panic
Call in the police?
Expectation management
Damage control
Dealing with witch hunts
IDS Requirements
• Must be:
–
–
–
–
–
–
–
Effective
Easy to use
Adaptable
Robust
Fast
Efficient
Safe
Future IDS Needs
• Should be:
–
–
–
–
–
Accommodating
Security enhancing
Scalable
Realistic
Hardened
Conclusions
• We aren’t there yet,
• But any IDS system is better than none at
all.
• This is the place to be if you want to work
on secure systems development.