Distributed Intrusion Detection
Mamata Desai (99305903)
M.Tech.,CSE dept,
IIT Bombay
Overview
 What is intrusion ?
 Dealing with intrusion
 Intrusion detection principles
 Our problem definition
 Packages analyzed
 Our approach
 Experiments and Results
 Conclusions
What is intrusion ?
 The potential possibility of a deliberate
unauthorized attempt to:
1. Access information
2. Manipulate information
3. Render a system unreliable or unusable
 Types of intrusions:
–
External attacks
•
–
–
Password cracks, network sniffing, machine &
services discovery utilities, packet spoofing,
flooding utilities, DOS attacks
Internal penetrations – Masqueraders,
clandestine users
Misfeasors – authorized misuse
Example attacks
 Password cracking
 Buffer overflow
 Network reconnaissance
 Denial of service (DoS)
 IP spoofing
Dealing with intrusion
 Prevention
– isolate from n/w, strict auth, encryption
 Preemption
– “do unto others, before they do unto you”
 Deterrence
– dire warnings: “we have a bomb too”
 Deflection
– diversionary techniques to lure away
 Counter measures
 Detection
Intrusion Detection principles
 Anomaly-based
– Form an opinion on what constitutes “normal”,
and decide on a threshold to flag as “abnormal”
– Cannot distinguish illegal from abnormal
 Signature-based
– Model signatures of previous attacks and flag
matching patterns
– Cannot detect new intrusions
 Compound
System characteristics
 Time of detection
 Granularity of data processing
 Source of audit data
 Response to detected intrusions
– passive v/s active
 Locus of data-processing
 Locus of data-collection
 Security
 Degree of inter-operability
Host-based v/s Network-based IDS
 Host-based IDS
1. Verifies success or failure of an attack
2. Monitors specific system activities
3. Detects attacks that n/w based systems miss
4. Well-suited for encrypted and switched
environments
5. Near-real-time detection and response
6. Requires no additional hardware
7. Lower cost of entry
…contd.
 Network-based IDS
1. Lower cost of ownership
2. Detects attacks that host-based systems miss
3. More difficult for an attacker to remove
evidence
4. Real-time detection and response
5. Detects unsuccessful attacks and malicious
intent
6. Operating system independence
7. Performance issues
Our problem definition
 Portscanning
 Our laboratory setup
– Multiple machines with similar configuration
 Portscan on a single machine
 Distributed portscan - Small evasive scans
on multiple machines
 Aim – Detect such distributed scans
Typical lab setup
Types of Portscans
 Scan types:
– TCP connect() scan
– Stealth SYN scan
– Stealth FIN scan
– Xmas scan
– Null scan
 Scan sweeps:
– One-to-one, one-to-many, many-to-one, manyto-many
Normal sequence of packets
Source
Network Messages
Target
Send SYN, seq=x
Receive SYN segment
Send SYN, seq=y, ACK x+1
Receive SYN +
ACK segment
Send ACK y+1
Receive ACK segment
… more packet exchanges
Send ACK+FIN+RST
Receive ACK+FIN+RST
Stealth SYN scan
Source
Network Messages
Target
Send SYN, seq=x
Receive SYN segment
Receive SYN +
ACK segment
Send SYN, seq=y, ACK x+1
Send RST
Receive RST
Stealth FIN scan
Source
Network Messages
Target
Send FIN
Receive FIN
Stealth Xmas scan
Source
Network Messages
Target
Send FIN+PSH+URG
Receive FIN+PSH+URG
Packages analyzed
 Sniffit (http://sniffit.rug.ac.be/sniffit/sniffit.html)
– A network sniffer for TCP/UDP/ICMP packets
– Interactive mode
 Tcpdump (http://www.tcpdump.org)
– A tool for network monitoring and data acquisition
 Nmap (http://www.nmap.org)
– “Network mapper” for network exploration, security auditing
– Various types of TCP/UDP scans, ping scans
…contd
 Portsentry (http://www.psionic.com/abacus/portsentry)
– Host-based TCP/UDP portscan detection and active defense
system
– Stealth scan detection
– Reacts to portscans by blocking hosts
– Internal state engine to remember previously connected hosts
– All violations reported to syslog
 Snort (http://www.snort.org)
– Network-based IDS – real-time analysis and traffic logging
– Content searching/matching to detect attacks and probes – buffer
overflows, CGI attacks, SMB probes, OS fingerprinting attacks
– Rules language to describe traffic to collect or pass
– Alerts via syslog, user files, WinPopUp messages
– 3 functional modes – sniffer, packet logger, NIDS
…contd
 Portsentry
– Binds to all ports to be monitored
– A static “list” of ports monitored
– State engine – different hosts
 Snort
– Preprocessor – connections to P ports in T
seconds
– V1.8 – only one-to-one and one-to-many
portscans detected
Our approach
 Pick up network packets
 Based on which type of portscan is to be
analyzed, identify the scan signature
 Add each source and target IP address, to
the correlation lists
 Use the correlation lists to infer the scan
sweep – one-to-one, one-to-many, many-toone, many-to-many
Experimental Setup
Detection algorithm
 Examine each TCP packet on the network.
 Extract source and target IP addrs and ports.
 For each scan type to be detected, maintain
a list of “valid” connections.
 When a scan signature is detected, add
source and target IP addrs to 2 correlation
lists pointed to by srcIP and tarIP, remove
entry from connections list.
…contd
 Identical correlation lists record source and
target IP addrs info, along with number of
scans.
 Scan sweeps one-to-one, one-to-many,
many-to-one, and many-to-many are
detected by passes thru the correlation lists.
Experiments
Source
pro-13
pro-15
pro-17
Target
pro-19
pro-21
pro-23
TCP ports
25, 119
21, 23, 80
22, 79
One-to-one scan
Source Target TCP ports
pro-13 pro-19 7, 20, 21
pro-21 22, 23, 25, 53
pro-23 69, 79, 80, 88
pro-15 pro-19 110, 111, 119
pro-21 139, 143, 194, 220
One-to-many scan
…contd
Source
pro-13
pro-15
pro-17
Target
pro-21
pro-21
pro-21
TCP ports
443, 513, 518
873, 3130, 6667
107, 20, 21, 23
Source Target TCP ports
pro-13 pro-19 7, 20, 21, 79
pro-21 80, 113, 119, 139
pro-23 143, 194, 667
pro-15 …
…
pro-17 …
…
Many-to-one scan
Many-to-many scan
Conclusions
 All the scans performed by nmap were
detected successfully by our detector and
the correlations were accurate.
 Some stray incidents of ident lookups did
get classified as scans, due to the way
closed ports behave.