Transcript Intrusion Detection - University of Sunderland

Intrusion Detection
Harry R. Erwin, PhD
School of Computing and Technology
University of Sunderland
Resources
• B. Schneier, 2000, Secrets and Lies, Wiley,
ISBN: 0-471-25311-1—a good survey for
managers.
• E. Amoroso, 1999, Intrusion Detection,
Intrusion.net, ISBN: 0-9666700-7-8
• R. G. Bace, 2000, Intrusion Detection,
Macmillan Technical Publishing, ISBN: 157870-185-6
Intrusion Detection Systems
(IDS)
• These are network monitors—they watch your
network looking for suspicious behavior
• Often but not always based on audit trails
• Provide reactive rather than proactive security
• Should alert on successful and ongoing attacks
• Need to be accurate in detecting attacks and in
determining that an attack is not underway.
• Also may provide diagnosis tools.
The False Alarm Problem
• Base rate fallacy—suppose you have a test that is
99% accurate. Is this good?
Not necessarily!
• Suppose the real attack rate is 1x10-6 per message
or packet. This test will generate 10,000 false
positives for every real attack it detects.
• If network attacks are rare, a test has to be
powerful to be useful.
The Timely Notification Problem
• You may want to be warned in time to do
something, but…
• What about slow attacks? When should the
IDS become suspicious and tell you?
• What about ambiguous evidence? Do you
want to be warned about borderline cases?
The Response Problem
• What do you do if you do hear an alarm? Consider
the problem with giving out general warnings of
terrorist activity.
• Options include:
–
–
–
–
Wait
Collect more information
Do something
Hope it goes away
• You may be too busy fighting alligators to do
anything intelligent about draining the swamp.
Approaches to Building an IDS
• Misuse detection
– IDS knows what an attack looks like and looks
for it.
– “Network virus scanner”
– Fast, easy to build, has a low false positive rate.
– Misses a lot and is easy to fool.
– Probably will get better over time.
Approaches to Building an IDS
(II)
• Anomaly detection
– Learns a statistical or neural network model of
the network to figure out what is normal
– Sounds an alarm for abnormal activity
– Uses AI:
• Bayesian statistics
• Neural networks
• Expert systems
Problems with Anomaly
Detection
• Does the training data include an attack? Then
hacking will be considered normal. 8(
• New things happen on networks all the time.
Successful retraining of an existing AI system to
handle this is a hard problem, worth a PhD. 8(
• How can it categorize attacks? That requires
expert input. 8(
• False positives are much higher. 8(
• Attack indicators are brittle, so that hackers can
sneak past them. 8(
More Problems with Anomaly
Detection
• The dynamic update problem is unsolved.
– You can train these systems successfully to handle
static environments, but computer networks are
dynamic.
– If you try to retrain an existing system to deal with new
events, it will usually forget its old training. You have
to give it the old training data as well as the new.
– One approach avoiding the use of old data is to give the
old system random data and train the new version on
the resulting outputs as well as the new data.
– Good research area.
Possible Approaches to Anomaly
Detection
• Bayesian statistics—like current spam filters. Relies on
human training, and can adapt over time if the human
controller continues to train it.
• Neural networks—probably will not be as successful as
the human trainer is less hands-on. Has to deal with the
‘catastrophic forgetting problem’, either by retaining
training data or regenerating it.
• Expert systems—a hybrid anomaly/misuse detection
solution. Depends on how easily it can be trained.
Multiple experts will differ.
• Statistical decision theory—only if the cues used by the
experts can be successfully identified.
Inline versus Audit-Based IDS
• Should the IDS detect attacks in real-time
using a sniffer or use audit log processing?
–
–
–
–
–
Inline will have incomplete data.
Inline is also computationally expensive.
Audit log processing is after the fact.
Audit log formats vary quite a bit.
A combined approach is feasible, but costly.
Audit Log Architecture
Cues
The System
Being Monitored
Profiles
IDS
Audit Log
Data
Audit Trail
Alerts
Reports
After Amoroso
Inline Architecture
Cues
The System
Being Monitored
Sniffer
Data
Profiles
IDS
Alerts
Reports
After Amoroso
Host-Based versus NetworkBased IDS
• Network-based IDS is basically wiretapping using a sniffer:
– Stealthy
– Operating-system independent
• Host-based IDS uses audit logs
– From workstations, servers, switches, routers,
etc.
– Product-specific.
Make or Buy
• Do your own monitoring or pay someone
else? E.g.,
– Counterpane in America
– Qinetiq in the UK
• Trust issues particularly important here.
• Inhouse expertise requirement.
Honey Pots and Burglar Alarms
• Burglar alarms are resources on the network that
generate an alarm if accessed incorrectly.
• Honey pots are burglar alarms dressed up to look
attractive. May incorporate subnetworks and dummy
computers.
– Costly
– Have to look real to the attackers
– Legality important. Entrapment may be an issue, so
intruders must be warned.
• Read http://csrc.nist.gov/publications/secpubs/berferd.ps
• See also
http://www.strategypage.com/fyeo/howtomakewar/default.asp?target=HTIW.HTM
Incident Handling Issues
•
•
•
•
•
•
•
Be prepared
Have procedures
Don’t panic
Call in the police?
Expectation management
Damage control
Dealing with witch hunts
IDS Requirements
• Must be:
–
–
–
–
–
–
–
Effective
Easy to use
Adaptable
Robust
Fast
Efficient
Safe
Future IDS Needs
• Should be:
–
–
–
–
–
Accommodating
Security enhancing
Scalable
Realistic
Hardened
Conclusions
• Intrusion Detection Systems are useful, but
not a panacea.
• In particular, they cannot substitute for good
security practices.
• They tell you if you have had a problem,
but that can be too late.