Intrusion Detection Dr. Neminath Hubballi IIT Indore © Neminah Hubballi Intrusion • When a user of an information system takes an action that; that user is not legally allowed to take, it is called intrusion. • It attempts to compromise • Confidentiality • Integrity and/or • Availability of a system resource. • A second line of defense. The first one being intrusion prevention systems. • can identify classes of intruders: • Spoofing • Illegal logins • Worm propagations IIT Indore © Neminah Hubballi Intrusion Detection • Intrusion detection: Monitor the system execution for security violations and take corrective measures when a violation is detected. • It involves determining that some entity has attempted or worse gained access to the system resources in a non diplomatic way. IIT Indore © Neminah Hubballi IDS Taxonomy • Detection Method: Characteristics of analyzer – Behavior Based: uses info about normal behavior. – Knowledge based: uses info about attacks. • Behavior on Detection: the response of system – Passive alerting. – Active response. • Audit source location: – Host log files. – Network packets. • Usage frequency: – Continuous monitoring – Periodic monitoring IIT Indore © Neminah Hubballi Host Based IDS • Concerned about security of a single machine. • Typically works by protecting the file system and other key data structures change detection. • Uses the log information of system for analysis. • Ex: syslog • With some modification to OS kernel the IDS can be made to look into system calls and model them for intrusion detection. • Tripwire is an example of the kind. IIT Indore © Neminah Hubballi State Modeling • • • • Encodes the behavior as a set of states. An action in the system triggers the movement to next state. The state of a system is a function of all the users, processes, and data present at a given time. The system starts in a state representing the normal behavior and each illegal event takes it towards the state representing the intrusion. IIT Indore © Neminah Hubballi Sate Modeling Generic State Transition Diagram IIT Indore © Neminah Hubballi Signature Based Detection • General view Network NIDS Sensor Packets Analysis Backend Alerts Signature Database IIT Indore © Neminah Hubballi Rule-Based Intrusion Detection • Snort and Bro • Ex1: log tcp any any -> 192.168.1.0/24 !6000:6010 • Ex 2: alert icmp any any -> any any (msg: "Ping with TTL=100"; \ ttl: 100;) • Ex 3: alert ip any any -> 192.168.1.0/24 any (content-list: \ "porn"; msg: "Porn word matched";) IIT Indore © Neminah Hubballi Anomaly Detection Builds models of normal behavior, and automatically detects any deviation from it • Collect data and determine the pattern of legitimate user • Threshold detection – Define thresholds for frequency of occurrence of events • Profile based detection – Develop profile of activity for each user. IIT Indore © Neminah Hubballi Anomaly Detection Methods • Statistical approach. – A simple statistical count of activities decides the boundary of normal and abnormal. – Relatively old method of IDS technology. – Vague definition of system behavior but are still relevant. – Number of false alarms if the system behavior is changing frequently. IIT Indore © Neminah Hubballi Anomaly Detection Methods cont.. • Machine learning techniques – Classification: decision tree, SVM, neural network, fuzzy logic, etc. – Clustering: based on the assumption that the normal and abnormal behaviors fall into two different clusters, hence grouping them is very easy. – Hybrid: combining different classification techniques with an ambitious objective of achieving better classification efficiency. IIT Indore © Neminah Hubballi IDS Terminology • True Positive (TP): when the attack succeeded and the IDS was able to detect it (Success & Detection) • True Negative (TN): when the attack failed and the IDS did not report on it (¬Success & ¬Detection) • False Positive (FP): when the attack failed and the IDS reported on it (¬Success & Detection) • False Negative (FN): when the attack succeeded and the IDS was not able to detect it (Success & ¬Detection) IIT Indore © Neminah Hubballi Performance Metrics for IDS • Accuracy: the proper detection of attacks and the absence of false alarms • Performance: the rate at which traffic and audit events are processed – To keep up with traffic, may not be able to put IDS at network entry point – Instead, place multiple IDSs downstream • Fault tolerance: resistance to attacks – Should be run on a single hardened host that supports only intrusion detection services • Timeliness: time elapsed between intrusion and detection IIT Indore © Neminah Hubballi Characterizing the IDS Effectiveness Efficiency Ease of use Security Interoperability IIT Indore Indian Institute © of Neminah TechnologyHubballi Guwahati 09-04-2015 Base Rate Fallacy Hypothesize a figurative computer network with – – – Tens of workstations A few servers Few dozens of users 1000000 audit records per day. 1 or 2 attempted attacks per day. 10 audit records per attack. IIT Indore © Neminah Hubballi Bayesian Detection Rate True positive rate : P( A | I ) False positive rate : P(A| I) ( A |I ) 1 P ( A |I ) False negative rate : P True negative rate : P ( A | I ) 1 P ( A | I ) Our interest is to Bayesian detection rate : P(I | A) Absence of an alarm i.e., P(I | A) has nothing to worry. IIT Indore © Neminah Hubballi Bayesian Detection Rate P ( I ). P ( A | I ) P ( I | A ) P ( I ). P ( A | I ) P ( I ). P ( A | I ) 2 . 10 P ( I ) 1 P ( I ) 1 0 . 0000 . 999 P ( I ) 0 . 00002 10 00000 0 . 00002 . P ( A | I ) P ( I | A ) 0 . 00002 . P ( A | I ) 0 . 9999 . P ( A | I ) 0 . 00002 . P ( A | I ) P ( I | A ) 0 . 00002 . P ( A | I ) 0 . 9999 . P ( A | I ) IIT Indore © Neminah Hubballi IDS from birth till date... From To 2009 2000 2000 2008 1998 1995 1990 1990 1990 1987 1986 1980 1980 IIT Indore © Neminah Hubballi 2009 1999 2009 2009 2002 2002 2009 2009 2004 2005