Intruders Detection Systems
• Presently there is much interest in systems, which can detect
intrusions, IDS (Intrusion Detection System).
• IDS are of very different character.
• Some focus on one machine and try to stop the intruder from
doing damage, such is LIDS for Linux.
• Some can detect a worm attack from the way it spreads from
machine to machine, like GrIDS.
• Several are actually data mining, they determine from logfiles if
there is an intrusion based on reasoning by an expert system,
NSTAT is an example.
• Many IDS implementations are listening passively to some LAN
segment, look at the traffic and detect an intrusion. Snort IDS is a
popular freeware program of this Network IDS-type.
• Other IDS solutions protect one machine by access controls.
What is Intrusion Detection
Intrusion detection systems (IDSs) are designed for
detecting, blocking and reporting unauthorized
activity in computer networks.
“The life expectancy of a default installation of Linux Red
Hat 6.2 server is estimated to be less than 72 hours.”
“The fastest compromise happened in 15 minutes
(including scanning, probing and attacking)”
“Netbios scans affecting Windows computers were
executed with the average of 17 per day”
(source: Honeynet Project)
1. Motivation for Intrusion Detection
Unauthorized Use of Computer Systems Within Last 12 Months (source
CSI/FBI Study)
80
70
1996
60
1997
50
1998
Percentage of
40
Respondents
1999
2000
30
2001
20
2002
10
0
Y es
No
Don't Know
1. Motivation for Intrusion Detection
Most Common Attacks (source CSI/FBI)
In year 2002 most common attacks were:
•
•
•
•
Virus (78%)
Insider Abuse of Net Access (78%)
Laptop theft (55%)
Denial of Service and System Penetration (40%)
• Unauthorized Access by Insiders (38%)
(Red color shows the attack types, which IDS can decrease)
Different Types of IDSs
There are Application-, Host- and Network IDS
Application IDS
– Watch application logs
– Watch user actions
– Stop attacks targeted against an application
• Advantages
– Encrypted data can be read
• Problems
– Positioned too high in the attack chain (the attacks reach the
application)
Different Types of IDSs
Application-, Host- and Network IDS
Host IDS
–
–
–
–
Watch kernel operations
Watch network interface
Stop illegal system operations
Drop attack packets at network driver
• Advantages
– Encrypted data can be read
– Each host contributes to the detection process
• Problems
– Positioned too high in the attack chain (the attacks reach the
network driver)
Different Types of IDSs
Application-, Host- and Network IDS
Network IDS
– Watch network traffic
– Watch active services and servers
– Report and possibly stop network level attacks
• Advantages
– Attacks can be stopped early enough (before they reach the hosts or
applications)
– Attack information from different subnets can be correlated
• Problems
– Encrypted data cannot be read
– Annoyances to normal traffic if for some reason normal traffic is
dropped
2. Different Types of IDSs
Application-, Host- and Network IDS - Comparison
Technique
Data Rate
Placement
Cost ($)
Maintenance Effort
Encrypted Data
Switched Networks
Application-based
Application monitoring
Low
Application, userland process
Low to Moderate
Moderate
Supported
Not problematic
Host-based
Host system monitoring
Moderate
Kernel, system process
Moderate
Moderate to High
Supported
Not problematic
Network-based
Network segment monitoring
High
Network node
High
Low
Unsupported
Problematic
Simple Process Model for ID
Diagram
Parse data, filter data and execute
Detection Algorithms
Capture Data
For example applications log
network driver, or network cable
Analyse Data
Respond
Iterate
Drop packets, send alerts,
update routing tables,
kill processes etc.
IDS principle of detection
There are two basic methods used by ID Systems:
misuse detection and anomaly detection.
Misuse Detection
– Search attack signatures, which are patterns, byte code or
expressions belonging to a specific attack.
– often called signature-based detection
– A signature is created by analysing an attack method
–The patterns are stored inside the IDS
Example Rule:
Alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111
(Content: “|00 01 86 A5|”;msg:”External Mountd access”;)
Example of a NIDS, snort
• Enable NIDS mode of Snort
# ./snort -dev -l ./log -h 192.168.1.0/24 c snort.conf
• The above command means that let Snort work as NIDS
for the network 192.168.1.0/24 according to the rules
inside snort.conf file.
• Sample rule:
•
alert udp any any -> 192.168.1.0/24 5060
(content:"|01 6a 42 c8|"; msg: “SIP session signaling";)
• The rules are modular and it is easy to add new rules.
Typically the rules make alarms of all old security breaches
so that you cannot notice any new breaches.
IDS principle of detection
Anomaly Detection
“Distinguish abnormal from normal”
Threshold Detection
• X events in Y seconds triggers the alarm
Statistical Measures
• Current traffic profile matches the ”normal” profile
Rule-Based Methods
• Jack never logs in at 6 to 8 AM
• If Jack just sent email from Espoo office, he should not
send email from New York office at the same time
• Example: ( anomaly detection engine---SPADE)
[**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 3.8919
[**] 08/22-22:37:00.419813 24.234.114.96:3246 -> VICTIM.HOST:80
TCP TTL:116 TOS:0x0 ID:25395 IpLen:20 DgmLen:48 DF ******S*
Seq: 0xEBCF8EB7 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4)
=> MSS: 1460 NOP NOP SackOK
[**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 10.5464
[**] 08/22-22:22:46.577210 24.41.81.216:2065 -> VICTIM.HOST:27374
TCP TTL:108 TOS:0x0 ID:10314 IpLen:20 DgmLen:48 DF ******S*
Seq: 0x63B97FE2 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4)
=> MSS: 1460 NOP NOP SackOK
[**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 7.8051
[**] 08/23-23:04:53.051245 VICTIM.HOST:31337 ->
64.230.133.196:3486 TCP TTL:255 TOS:0x0 ID:0 IpLen:20 DgmLen:40
DF ***A*R** Seq: 0x0 Ack: 0x22676B9 Win: 0x0 TcpLen: 20
[**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 9.0907
[**] 09/02-01:30:31.545406 VICTIM.HOST:515 -> 24.42.220.45:1189
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq:
0x16FC5A7F Ack: 0x529F8CE7 Win: 0x16A0 TcpLen: 40 TCP Options
(5) => MSS: 1460 SackOK TS: 124399151 14755839 NOP TCP Options
=> WS: 0
IDS principle of detection
Anomaly/Misuse Detection – Comparison
Method
Technique
Generalization
Specifity
Sensitivity
False Alarms
Adaptation
Misuse Detection
Detect Patterns of Interest
Problematic
Yes
High
Low
No
Anomaly Detection
Deviations from Learned Norms
Yes
No
Moderate
Moderate
Yes
IDS response principles
Responses
•Alerts and notifications: email, SMS, pager (important
issue: alert path must be bulletproof)
•Increase Surveillance: log more
•Throttling: slow down malicious traffic
•Blocking Access: drop data, update firewall/router
• Make Counterattack: Eye for an eye tactics
•Honey Pots and Padded Cells: route the hacker to a fake
system and let him play freely
IDS problems in the detection stage
Detection problems
•True positive, TP, is a malicious attack that is correctly
detected as malicious.
•True negative, TN, is a not an attack and is correctly
classified as benign.
•False positive, FP, is not an attack but has been classified as
an attack.
•False negative, FN, is an attack that has been incorrectly
classified as a benign.
Detection rate is obtained by testing the IDS against set of
intrusive scenarios
“…The false alarm rate is the limiting factor for the performance in an IDS”.
Advanced IDS Techniques
For Protection
•Stream Reassembly: follow connections and sessions
•Traffic Normalization: see that protocols are followed
• Bayesian Networks: Data mining and decision networks
•Graphical IDSs (for example GrIDS): use graphs to model attacks
•Feature equality heuristics: port stepping, packet gap recognition
•Genetic Programming, Human immune systems
• Tens of research systems exist
For Attacks
•
Evasion methods (fragmentation, mutation etc.)
•IDS trashing (DoS tools to like stick/snot to crash IDS capability
Detecting Intruders
• Commercially the most used IDS systems are probably misuse
based Network ID Systems, but Host-level IDS is also needed.
• As an example of a Host-level IDS let us look at LIDS for Linux.
• The philosophy of LIDS is to have a three layer protection:
– Firewall
– PortSentry
– LIDS
• The firewall limits access to only allowed ports. In a Web-server
only the TCP port 80 is absolutely necessary.
• Disable ports which are not used, for instance by removing the
daemons or by modifying /etc/inetd.conf. Leave only the basic
activities needed.
Detecting Intruders
• PortSentry is put to some port, which is often scanned but
not used in the system.
• One should find suitable ports where to put PortSentry by
looking at ports which are scanned often, like 143 or 111.
• Typically nowadays hackers do sweep scanning looking at
only one port in several machines.
• PortSentry monitors activity on specific TCP/UDP ports.
The PortSentry can take actions, like denying further
access to the port.
• This is based on the assumption that the hacker will first
probe with a scanner the machine for weaknesses.
• You install PortSentry in TCP-mode by
• portsentry -tcp
• ports are in portsentry.conf -file.
Detecting Intruders
• LIDS
• LIDS is an intrusion detection system that resides in the
Linux kernel.
• It basically limits the rights of a root user to do modifications.
It limits root access to direct port access, direct memory
access, raw access, modification of log files, limits access to
file system. It also prevents installation of sniffers or
changing firewall rules.
• An administrator can remove the protection by giving a
password to LIDS, but if a hacker breaks into the root, he
cannot without LIDS password do much damage.
• Is this good? it certainly makes the life of a hacker more
difficult, but what about a hacker getting into the kernel?
• How nice it is being an administrator using LIDS?