What is Firewall? Design goals – All traffic from inside to outside and vice versa must pass through the firewall – A single checking point that keeps unauthorized traffic (i.e., worm) out of the protected network Internet How it functions? Technique – Control access via security policy Types – Packet filter router – Application-level gateway – Stateful filter vs. stateless filter – Personal firewall Packet-Filtering Router Packet-Filtering Router – – – Applies a set of rules to each incoming IP packet Decides forwarding or discarding the packet Only examine the header, do not “see inside” a packet Pros & Cons – – Simple No application-specific protection HTTP Telnet Internet 129.10.10.1 209.10.10.1 Packet-Filtering Router Filtering rules – Src/dest IP address; src/dest port; protocol field; etc. – Default Discard vs. forward action Internal host address Internal port External host address External port function block * * 192.10.*.* * Block all packets from 192.10.*.* action Internal host address Internal port External host address External port function allow 129.10.10.3 25 * * Allow inbound mail to 129.10.10.3 Packet-Filtering Router The dangerous services – – – – – finger (port 79) telnet (port 23) ftp (port 21) rlogin (port 513) ICMP finger Telnet Internet ftp rlogin Stateful Inspection Firewall Stateful Inspection Firewall – Maintains state information from one packet to another in the input stream – Tightens up the rules for TCP traffic Source address Source port Destination address Destination port State 192.10.10.16 3321 216.10.18.123 80 established Application-level gateway Application level proxy/gateway – – – – Relay of application traffic Run pseudoapplications Looks to the inside as if it is the outside connection Looks to the outside as if it is the inside Pros & Cons – – Processing overhead Diverse functionality HTTP Internet SMTP FTP TELNET Deployment Considerations – Performance – Security of firewall itself – Runs on minimized OS non-firewall functions should not be done on the same machine Network Topology HTTP SMTP Internet FTP TELNET Packet filter Application gateway Personal Firewall Personal Firewall – An application that runs on a personal computer to block unwanted traffic Product – ZoneAlarm www.zonelabs.com – BlackICE Defender blackice.iss.net – Tiny Personal Firewall www.tinysoftware.com – Norton Personal Firewall www.symantec.com – Windows Benefit & Limitation Benefit – Provides a location for monitoring security- related events – Provides a platform for security-related functions: NAT, IPSec Limitations – – – – Attacks that bypass firewall Internal threats Performance Usability vs. security Intrusion Detection System Background What is Intrusion – An intrusion can be defined as any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource. [Heady R. 1990] Three classes of intruder Masquerader – illegitimate user penetrates the system using a legitimate user’s account Misfeasor – legitimate user misuses his/her privileges, accessing resources that is not authorized Clandestine user -- privileged suppress audit control user uses supervisory control to Background What is Intrusion Detection System – An Intrusion Detection System (IDS) must identify, preferably in real time, unauthorized use, misuse and abuse of computer systems – It is a reactive, rather than proactive, form of system defense. Classification – Misuse intrusion detection vs. Anomaly intrusion detection Misuse intrusion detection -- detect attacks on known weak points of a system. Anomaly intrusion detection -- detect by building up a profile of the system being monitored and detecting significant deviations from this profile. – Host-based detection vs. Network-based detection History Conventional approach to system security: Authentication, Access control and Authorization. In 1980, James Anderson first proposed that audit trails should be used to monitor threats. In 1987, Dorothy Denning presented an abstract model of an Intrusion Detection System. In 1988, IDES (Intrusion Detection Expert System) – host-based IDS is developed. In 1990, Network Security Monitor is developed – network-based IDS is developed. In 1994, Mark Crosbie and Gene Spafford suggested the use of autonomous agents in order to improve the scalability, maintainability, efficiency and fault tolerance of an IDS. Structure of IDS Alerting System Data collection Agent Manager Classifier Agent Agent Agent I II III Agent IV Data reduction Data collection System Call Audit Files system Data reduction system Classifier Alerting system Data Collection and Reduction Data source – Audit files system audit files: messages,xferlog,syslog,sulog, .bash_ history... application audit files: Web server log files,…. – System Call Audit record [Denning 87] – Subject, Action, Object, Exception, Resource usage, Time stamp – User operation elementary actions COPY GAME.EXE to /usr/GAME.EXE Smith exec COPY.EXE 0 CPU = 00002 1058721678 Smith read GAME.EXE 0 RECORDS = 1 1058721679 Smith exec COPY.EXE Write-viol RECORDS = 0 1058721680 Misuse intrusion detection Misuse intrusion detection – Use patterns of well-known attacks or weak spots of the system to match and identify intrusions – Perform pattern matching – Used in the environment where a rule can be recognized. Example Misuse Intrusion Detection (Purdue) using Patten Matching Port scan Password guessing Anomaly Intrusion Detection Anomaly Intrusion Detection – Establish normal usage profiles – Observe deviation from the normal usage patterns – Example profiles: loginfrequency, locationfrequency, UseofCPU,UseofIO, ExecutionFrequencyFileReadFails、FileWriteFails Metrics – – – – Mean and standard deviation Multivariate Markov process Time Series Approaches – Data Mining Approaches – Neural Networks – Colored-petri-net Distributed IDS Honey Pot • Honeypots are closely monitored network decoys • Distract adversaries from more valuable machines on a network • Provide early warning about new attack and exploitation trends • Example • Honeypot can simulate one or more network services that you designate on your computer's ports. Product http://www.snort.org/ – http://www.dshield.org/ – – A distributed intrusion detection system, or a distributed firewall system. an attempt to collect data about cracker activity from all over the internet. This data will be cataloged and summarized. It can be used to discover trends in activity and prepare better firewall rules. Right now, the system is tailored to simple packet filters. As firewall systems that produce easy to parse packet filter logs are now available for most operating systems, this data can be submitted and used without much effort. NFR Security Inc. – Snort® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. NFR Security provides a comprehensive, integrated intrusion detection system that protects networks and hosts from known/unknown attacks, misuse, abuse and anomalies. http://www.nfr.com Real Secure by ISS http://www.iss.net/products_services/enterprise_protection/ Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion Detection What is the Intrusion Detection Intrusions are the activities that violate the security policy of system. Intrusion Detection is the process used to identify intrusions. Types of Intrusion Detection System(1) Based on the sources of the audit information used by each IDS, the IDSs may be classified into – Host-base IDSs – Distributed IDSs – Network-based IDSs Types of Intrusion Detection System(2) Host-based IDSs – Get audit data from host audit trails. – Detect attacks against a single host Distributed IDSs – Gather audit data from multiple host and possibly the network that connects the hosts – Detect attacks involving multiple hosts Network-Based IDSs – Use network traffic as the audit data source, relieving the burden on the hosts that usually provide normal computing services – Detect attacks from network. Intrusion Detection Techniques Misuse detection – Catch the intrusions in terms of the characteristics of known attacks or system vulnerabilities. Anomaly detection – Detect any action that significantly deviates from the normal behavior. Misuse Detection Based on known attack actions. Feature extract from known intrusions Integrate the Human knowledge. The rules are pre-defined Disadvantage: – Cannot detect novel or unknown attacks Misuse Detection Methods & System Method Rule-based Languages State Transition Analysis Colored Petri Automata Expert System Case Based reasoning Anomaly Detection Based on the normal behavior of a subject. Sometime assume the training audit data does not include intrusion data. Any action that significantly deviates from the normal behavior is considered intrusion. Anomaly Detection Methods & System Method Statistical method Machine Learning techniques Time-Based inductive Machine Instance Based Learning Neural Network … Data mining approaches Anomaly Detection Disadvantages Based on audit data collected over a period of normal operation. – When a noise(intrusion) data in the training data, it will make a mis-classification. How to decide the features to be used. The features are usually decided by domain experts. It may be not completely. Misuse Detection vs. Anomaly Detection Advantage Disadvantage Misuse Detection Accurately and generate much fewer false alarm Cannot detect novel or unknown attacks Anomaly Detection Is able to detect unknown attacks based on audit High false-alarm and limited by training data. The Frame for Intrusion Detection Intrusion Detection Approaches 1. 2. 3. Define and extract the features of behavior in system Define and extract the Rules of Intrusion Apply the rules to detect the intrusion Audit Data 3 Training Audit Data 1 2 Features 3 Rules Pattern matching or Classification Thinking about The Intrusion Detection System Intrusion Detection system is a pattern discover and pattern recognition system. The Pattern (Rule) is the most important part in the Intrusion Detection System – – – Pattern(Rule) Expression Pattern(Rule) Discover Pattern Matching & Pattern Recognition. Machine Learning & Data mining & Statistics methods Traning Audit Data Feature Extraction Training Data & Knowled ge Pattern Extraction Expert Knowledge & Rule collection & Rule abstraction Pattern & Decision Rule Pattern Matching Alarms Intrusion Detection System Discriminate function Pass Pattern Recognition Real-Time Aduit data Rule Discover Method Expert System Measure Based method – Statistical method – Information-Theoretic Measures – Outlier analysis Discovery Association Rules Classification Cluster Pattern Matching & Pattern Recognition Methods Pattern Matching State Transition & Automata Analysis Case Based reasoning Expert System Measure Based method – Statistical method – Information-Theoretic Measures – Outlier analysis Association Pattern Machine Learning method Intrusion Detection Techniques Intrusion Detection Techniques Pattern Matching Measure Based method Data Mining method Machine Learning Method Association Pattern Discover Goal is to derive multi-feature (attribute) correlations from a set of records. An expression of an association pattern: The Pattern Discover Algorithm: Apriori Algorithm 2. FP(frequent pattern)-Tree 1. Association Pattern Detecting Statistics Approaches – Constructing temporal statistical features from discovered pattern. – Using measure-based method to detect intrusion Machine Learning Method Time-Based Inductive Machine – Like Bayes Network, use the probability and a direct graph to predict the next event Instance Based Learning – Define a distance to measure the similarity between feature vectors Neural Network Classification This is supervised learning. The class will be predetermined in training phase. Define the character of classes in training phase. A common approach in pattern recognition system Clustering This is unsupervised learning. There are not predetermined classes in data. Given a set of measurement, the aim is that establishes the class or group in the data. It will output the character of each class or group. In the detection phase, this method will get more time cost (O(n2)). I suggest this method only use in pattern discover phase Association Pattern Detecting Using the pattern matching algorithm to match the pattern in sequent data for detecting intrusion. No necessary to construct the measure. But its time cost depends on the number of association patterns. Constructs a pattern tree to improve the pattern matching time cost to linear time Discover Pattern from Rules The existing rules are the knowledge from experts knowledge or other system. The different methods will measure different aspects of intrusions. Combine these rules may find other new patterns of unknown attack. For example: – Snort has a set of rule which come from different people. The rules may have different aspects of intrusions. – We can use the data mining or machine learning method to discover the pattern from these rule. Machine Learning & Data mining & Statistics methods Traning Audit Data Feature Extraction Training Data & Knowled ge Pattern Extraction Expert Knowledge & Rule collection & Rule abstraction Pattern & Decision Rule Pattern Matching Alarms Intrusion Detection System Discriminate function Pass Pattern Recognition Real-Time Aduit data Penetration Testing 1. Define target and requirements. 2. Obtain a trusted agent. 3. Prepare test plan. 4. Obtain management signoff. 5. Confirm target addresses. 6. Port scanning Penetration Testing 7. Enumeration of web interfaces. 8. Initial vulnerability assessment using port scanner. 9. Verification scanned results. 10. Exploit vulnerabilities. 11. Password cracking. 12. Profile the target system. Penetration Testing 13. Try to find valuable info in hidden fields of html, xml, forms, applets and dynamically generated pages. 14. Try to attack application servers. 15. Glean info from banners, welcome messages and help screens. Penetration Testing 16. Glean info from cookies and session IDs. 17. Try to determine login access controls. 18. Try to spoof IDs and replay passwords. 19. Try to decompile code. 20. Try to view the password rules. 21. Locate and try to attack the DNS.