Intrusion Detection - Indian Institute of Technology, Indore

advertisement
Intrusion Detection
Dr. Neminath Hubballi
IIT Indore © Neminah Hubballi
Intrusion
• When a user of an information system takes an action that;
that user is not legally allowed to take, it is called intrusion.
• It attempts to compromise
• Confidentiality
• Integrity and/or
• Availability of a system resource.
• A second line of defense. The first one being intrusion
prevention systems.
• can identify classes of intruders:
• Spoofing
• Illegal logins
• Worm propagations
IIT Indore © Neminah Hubballi
Intrusion Detection
• Intrusion detection: Monitor the system
execution for security violations and take
corrective measures when a violation is
detected.
• It involves determining that some entity has
attempted or worse gained access to the system
resources in a non diplomatic way.
IIT Indore © Neminah Hubballi
IDS Taxonomy
• Detection Method: Characteristics of analyzer
– Behavior Based: uses info about normal behavior.
– Knowledge based: uses info about attacks.
• Behavior on Detection: the response of system
– Passive alerting.
– Active response.
• Audit source location:
– Host log files.
– Network packets.
• Usage frequency:
– Continuous monitoring
– Periodic monitoring
IIT Indore © Neminah Hubballi
Host Based IDS
• Concerned about security of a single machine.
• Typically works by protecting the file system and
other key data structures change detection.
• Uses the log information of system for analysis.
• Ex: syslog
• With some modification to OS kernel the IDS can be
made to look into system calls and model them for
intrusion detection.
• Tripwire is an example of the kind.
IIT Indore © Neminah Hubballi
State Modeling
•
•
•
•
Encodes the behavior as a set of states.
An action in the system triggers the movement to next
state.
The state of a system is a function of all the users,
processes, and data present at a given time.
The system starts in a state representing the normal
behavior and each illegal event takes it towards the
state representing the intrusion.
IIT Indore © Neminah Hubballi
Sate Modeling
Generic State Transition Diagram
IIT Indore © Neminah Hubballi
Signature Based Detection
• General view
Network
NIDS
Sensor
Packets
Analysis
Backend
Alerts
Signature
Database
IIT Indore © Neminah Hubballi
Rule-Based Intrusion Detection
• Snort and Bro
• Ex1: log tcp any any -> 192.168.1.0/24
!6000:6010
• Ex 2: alert icmp any any -> any any (msg:
"Ping with TTL=100"; \ ttl: 100;)
• Ex 3: alert ip any any -> 192.168.1.0/24
any (content-list: \ "porn"; msg: "Porn
word matched";)
IIT Indore © Neminah Hubballi
Anomaly Detection
Builds models of normal behavior, and automatically
detects any deviation from it
• Collect data and determine the pattern of legitimate user
• Threshold detection
– Define thresholds for frequency of occurrence of events
• Profile based detection
– Develop profile of activity for each user.
IIT Indore © Neminah Hubballi
Anomaly Detection Methods
• Statistical approach.
– A simple statistical count of activities decides the
boundary of normal and abnormal.
– Relatively old method of IDS technology.
– Vague definition of system behavior but are still
relevant.
– Number of false alarms if the system behavior is
changing frequently.
IIT Indore © Neminah Hubballi
Anomaly Detection Methods cont..
• Machine learning techniques
– Classification: decision tree, SVM, neural
network, fuzzy logic, etc.
– Clustering: based on the assumption that the
normal and abnormal behaviors fall into two
different clusters, hence grouping them is very
easy.
– Hybrid: combining different classification
techniques with an ambitious objective of
achieving better classification efficiency.
IIT Indore © Neminah Hubballi
IDS Terminology
• True Positive (TP): when the attack succeeded and
the IDS was able to detect it (Success & Detection)
• True Negative (TN): when the attack failed and the
IDS did not report on it (¬Success & ¬Detection)
• False Positive (FP): when the attack failed and the
IDS reported on it (¬Success & Detection)
• False Negative (FN): when the attack succeeded and
the IDS was not able to detect it (Success &
¬Detection)
IIT Indore © Neminah Hubballi
Performance Metrics for IDS
• Accuracy: the proper detection of attacks and
the absence of false alarms
• Performance: the rate at which traffic and audit
events are processed
– To keep up with traffic, may not be able to put IDS
at network entry point
– Instead, place multiple IDSs downstream
• Fault tolerance: resistance to attacks
– Should be run on a single hardened host that
supports only intrusion detection services
• Timeliness: time elapsed between intrusion
and detection
IIT Indore © Neminah Hubballi
Characterizing the IDS





Effectiveness
Efficiency
Ease of use
Security
Interoperability
IIT Indore
Indian
Institute ©
of Neminah
TechnologyHubballi
Guwahati
09-04-2015
Base Rate Fallacy

Hypothesize a figurative computer network with
–
–
–



Tens of workstations
A few servers
Few dozens of users
1000000 audit records per day.
1 or 2 attempted attacks per day.
10 audit records per attack.
IIT Indore © Neminah Hubballi
Bayesian Detection Rate







True positive rate : P( A | I )
False positive rate : P(A| I)
(

A
|I
)
1

P
(
A
|I
)
False negative rate : P
True negative rate : P
(

A
|
I
)

1

P
(
A
|
I
)
Our interest is to
Bayesian detection rate : P(I | A)
Absence of an alarm i.e., P(I | A) has nothing to
worry.
IIT Indore © Neminah Hubballi
Bayesian Detection Rate
P
(
I
).
P
(
A
|
I
)
P
(
I
|
A
)

P
(
I
).
P
(
A
|
I
)

P
(

I
).
P
(
A
|

I
)
2
.
10
P
(

I
)

1

P
(
I
)

1

0
.
0000

.
999
P
(
I
)


0
.
00002
10
00000
0
.
00002
.
P
(
A
|
I
)
P
(
I
|
A
)

0
.
00002
.
P
(
A
|
I
)

0
.
9999
.
P
(
A
|

I
)
0
.
00002
.
P
(
A
|
I
)
P
(
I
|
A
)

0
.
00002
.
P
(
A
|
I
)

0
.
9999
.
P
(
A
|

I
)
IIT Indore © Neminah Hubballi
IDS from birth till date...
From
To
2009
2000
2000
2008
1998
1995
1990
1990
1990
1987
1986
1980
1980
IIT Indore © Neminah Hubballi
2009
1999
2009
2009
2002
2002
2009
2009
2004
2005
Download