Executive Summary
As businesses begin to shift from traditional storefront business to e-businesses
the risk of someone performing malicious activities on your business greatly
increases. There are a variety of technologies that exist to protect your networks
from outsider and insider threats. Intrusion detection systems are only one part
of these technologies that make up your security architecture. If properly
implemented and operated intrusion detection systems can prevent an
embarrassing or damaging attack before it happens.
1.0
Introduction
Computer based networks have become an integral part of our lives. Before
the Internet most computer networks were predominately private, but with the
advent of the Internet the idea of sharing information has become more
prevalent. Not only has the Internet become a source of information sharing, it
has also become a source of new financial endeavors. We are surrounded by ecards and e-flowers, and while the Internet may be the gold rush of the 21 st
century it is prone to theft just as the gold rush of the 19th century. Establishing
the threat and the value of the information you wish to protect is the first step in
developing a security plan. Intrusion detection is just one of many components
that make up a total security solution. In this paper we will discuss what intrusion
detection is, what intrusion detection technologies exist, and what analysis
processes exist.
1.1 What is Intrusion Detection?
When we speak about Intrusion Detection we are really referring to two
different components. These components are the actual technologies that exist,
and the analysis processes to evaluate the data these systems produce.
Intrusion detection itself as a whole can easily be related to the burglar alarms in
a bank. When an intruder penetrates the perimeter an alarm is set off, and the
proper authorities are notified. Just as with a regular physical alarm system,
when a intruder penetrates a user’s network an alarm is set off. The challenge of
computer based intrusion detection is being able to sort through all of the noise,
and pick out the real attacks. Simply put a complete Intrusion Detection System
is made up of two components: the technology, and the human. It is always
important to remember that an Intrusion Detection System is in fact an
information system. Being an information system its fourth component is the
human user.
1.2 The need for Intrusion Detection
There are several reasons why we would need to deploy an Intrusion
Detection System. The first reason is to have the capability to detect attacks
against our network devices. These devices include our routers, switches, hubs,
servers, and workstations. By utilizing effective analysis processes you have the
capability to stop a hacker dead in their tracks. Given the recent attacks on
yahoo, ebay, and cnn the threat is real. Intrusion detection systems allow us to
detect ahead of time a potential attack. The data these systems provides allows
security administrators to make the decision if another network should be
blocked from entering theirs. Most if not all companies who are connected to the
Internet accept that people will attempt to explore and possibly attack their
networks. For this reason companies deploy network security devices such as
filtering routers and firewalls. By implementing a 2-fold IDS1 we can now
measure the number of attempted attacks versus the number of successful
attacks. It is not realistic to think that your site is immune from network attacks.
In addition to this it is also unrealistic to think that your site cannot be hacked.
* 2-fold IDS – A 2-fold system consists of two network based intrusion detection sensors. One outside of
the network security device (i.e. firewall, filtering router), and one in side the network security device.
1
So, intrusion detection allows us to see who is attempting to penetrate our
network security devices, and in addition to this allows us to measure the
effectiveness of these devices.
2.0 Technologies
There are two Intrusion Detection technologies that exist; network based
intrusion detection (NBID), and host based intrusion detection systems (HBID).
2.1 Network Based Intrusion Detection Systems (NBID)
Network based intrusion detection systems consist of two components: a
sensor, and management console. The sensor is a rule-based engine that
analyzes packets that it collects from a give network segment. This rule based
engine compares network traffic against a collection of attack signatures. When
a known attack is matched against the rule-based engine it displays an alarm on
the management console. Packet analysis is usually done on the sensor, but
some systems such as Shadow utilize filters on the management console rather
than the sensor device.
2.1.1 Placement of NBID Sensors
Network based intrusion detection sensors are placed directly on or inline 2
with the segment to be monitored. The sensor then utilizes a promiscuous
network interface to collect packets that will be analyzed by the rule-based
engine. Specific media and networking technologies play a large part in
determining where a sensor can and will be located. Relating back to a more
general stance there are three basic places where we need to locate NBID
sensors. The first of these is at your gateways, most importantly your Internet
Internet
Router
Hub
Mail Server
Web Server
NBID Sensor
Filer Server
NBID Console
gateway.
Inline – By inline we are referring to FDDI and ATM technologies where you must insert your device into
the data path.
2
The second of the three is placement within your organization and behind your
network security devices. This will aid you in detecting the insider threat and
measurement of the effectiveness of your network security devices. The third
area of placement is where your critical servers are. By placing a NBID sensor
inline with your critical servers you will be able to know if a potential attack
succeed. The placement of this additional sensor also allows for overlap incase
the sensor at the gateway fails to detect an attack.
2.1.2 NBID Attack Signatures
Network based sensors utilize two types of attack signatures: string
matching and pattern matching. The first of the two, string matching allows you
to alarm on character strings on well-known services such as web, ftp, and mail.
These signatures are customizable and allow you to create new ones as needed.
For example with the recent “I LOVE YOU” virus you could have created a
signature to detect every incoming and outgoing email containing the “I LOVE
YOU” string. In addition to alarming on strings in email you can also detect
unauthorized access to password files.
The second signature technology utilized by NBID sensors is pattern
matching. Pattern matching involves detecting attacks that exploit the TCP/IP
stack. These attacks include Net Sweep Echo’s, SYN Floods, and IP Fragments
to name a few. By using the rule-based engine the system processes the
packets looking for distinct patterns, and possibly flags in the TCP/IP headers.
With most commercial NBID systems it is common not to have the capability to
create new pattern matching signatures. There attack signatures tend to be in
binary code, and regarded as proprietary information.
2.1.3 Reactive Intrusion Detection
Most NBID systems include a reactive component that allows the owner of
the system to set a desired reaction to an event. Bellow is a list of possible
actions that can be taken by the system.
Reconfigure firewall
Configure the firewall to filter out the IP address of the intruder. However,
this still allows the intruder to attack from other addresses. Checkpoint firewall's
support a "Suspicious Activity Monitoring Protocol (SAMP)" for configuring
firewalls. Checkpoint has their "OPSEC" standard for re-configuring firewalls to
block the offending IP address.
chime
Beep or play a .WAV file. For example, you might hear a recording "You
are under attack".
SNMP Trap
Send an SNMP Trap datagram to a management console like HP
OpenView, Tivoli, Cabletron Spectrum, etc.
NT Event
Send an event to the WinNT event log.
syslog
Send an event to the UNIX syslog event system.
send e-mail
Send e-mail to an administrator to notify of the attack.
page
Page (using normal pagers) the system administrator.
Log the attack
Save the attack information (timestamp, intruder IP address, victim IP
address/port, protocol information).
Save evidence
Save a tracefile of the raw packets for later analysis.
Launch program
Launch a separate program to handle the event.
Terminate the TCP session
Forge a TCP FIN packet to force a connection to terminate.
2.2 Host Based Intrusion Detection (HBID)
Host based computers are shared by many people at one time. Host
based computer detection systems started out in the early 1980’s this occurred
before networks were a complexly interconnected as they are today
(silicon.com). IDS are powerful systems that prevent attacks and determine
proper methods to prevent future attacks. Host based ID involves not only
looking at the communications traffic in and out of a single host system, but it
also checks the integrity for suspicious process. (sans.org)
Host based IDS are one of the most popular methods for detection
intrusion. IDS check key system files, and then execute them through at regular
checks at intervals for unexpected changes. Host based IDS use audit logs from
a variety of different sources located within a network. These sources include
hosts logs, firewall logs, database logs, and router logs. For example, if there is
an attack or any files change the system reads it, and it matches it with the
signature of the files to see if they are the same. If so the system responds to the
administration and the action will apply but if the signatures the order won’t
match the signatures the alarm will go on (hackzone.ru).
2.2.1 Placement
As mentioned in the previous section HBID agents are located on hosts,
more specifically servers, routers, firewalls, and machines of interest. Agents are
Internet
Router
Hub
H
Mail Server
H
Web Server
H
File Server
HBIID Console
typically located at the operating system level. The collect raw log file data and
forward it to the analysis engine. These logs usually consist of users logs, syslog
data, and router access logs. Agents may be placed on all hosts on a network or
selected hosts. Again you would typically want to place HBID agents on your
hosts of interests.
2.2.2 Signature Technologies
There are three types of signatures in the Host based IDS. They include
statistical data, which depends on the data signature that are on the system. This
action is very much like the Historical data that is used to read the time the
people log in and out of the system. The only difference is that in historical data
the computer basically uses artificial intelligence to build the signatures. For
example, if some one works from nine to five and one day he is found to be
logged in at 12 mid-night, by using signatures the company’s system will detect
irregular activity. This employee could have been logged in to steal company
data or files. Tag files are another signature in the host based IDS that tags the
files electronically. For instance, if some one touches the files the flag will go off
and detect intrusion, a food example of a tagged file are password files.
3.0Analysis
Intrusion detection analysis is the interpretation of the data produced by
intrusion detection technologies. When interpreting intrusion detection data we
use three orders of analysis. There are three orders of levels of analysis: first
order analysis (1OA), second order analysis (2OA), and third order analysis
(3OA)
3.1.1 First Order Analysis (1OA)
First order analysis is best related to the HP Openview paradigm where if
everything is green we are in good shape, but if the screen turns red we have a
problem. First order analysis utilizes a single data source to alert the analyst of
an event. It utilizes only one data source, and that is the intrusion detection
technology (i.e. NBID or HBID). First order analysis works with real time data
meaning what is present on the screen (see fig 1). From first order analysis data
we can obtain the source and destination address of the potential attack. In
addition to this data we can extract the source and destination host names. This
allows us to gain a better understanding of where the attack might have
originated.
3.1.2 Second Order Analysis (2OA)
Second order analysis utilizes multiple tools, multiple data sources, and
correlation to analyze intrusion detection data. The use of tools (i.e. traceroute,
nslookup, and whois) allow us to properly determine the possibly origination of an
attack. Multiple data sources refers to using data from other intrusion detection
systems, router logs, and firewall logs to name a few sources. Correlation refers
to looking at multiple alarms in the context that they might be related. In addition
correlation allows us to validate an attack by using router and firewall logs to
verify if in fact the suspicious traffic made it into the enterprise. In addition to
verifying if an attack was successful, 2OA allows us to tune our intrusion
detection systems. By tuning we begin to filter out the normal traffic on a given
network. This filtering allows us to see what may be potential attacks. Without
filtering out normal traffic it is possible that an attack would be lost in the noise.
3.1.3 Third Order Analysis
In third order analysis we actively search for undetected intrusions and
actively identify intrusion detection shortfalls (Cramer, 1998). With third order
analysis we could be reviewing data from yesterday or last year. There are no
time minimums or maximums that can reached when analyzing data. Third order
analysis allows us to discover new attacks and develop attack signatures for
them.
3.2 Statistical Awareness Methods
The idea of statistical awareness methods was developed by Dr. Myron L.
Cramer. SAM is based on three distinct components templating, correlating, and
profiling or just TCP.
3.2.1 Templating
Templating helps us to track intrusion data across a given attack model.
By utilizing an attack model we can effectively group related items of data into
specific objectives. Bellow is a commonly used attack model in Information
Warfare and conventional warfare.
Attack Model:
 Reconnaissance
 Planning
 Exploitation
 Base Camp Development
 Operations
Reconnaissance
Reconnaissance is most closely associated with net sweep echo, port
sweep, and ping sweep attacks. During the reconnaissance mission a potential
attacker gather information about a potential targets network. By using only a
single tool such as Fydor’s nmap a potential attacker can create a network map
including routers, firewalls, servers, and workstations. Nmap utilizes a variety of
different port scanning technologies to gather information about hosts. Other
tools such as firewalker allow you to transverse firewalls and filtering routers to
build network topology maps.
Planning
Following the reconnaissance stage of the attack model is the planning
stage. Remember that each stage of the attack model builds on the next, so
logically data gathered in the reconnaissance stage is used in the planning stage.
At this point a potential attacker has compiled they data they have gathered and
created their network maps. The planning stage addresses what hosts will be
used during the attack, which gateway if multiple gateways exist is the best route,
and so on.
Exploitation
At this point in time we can which hosts we are going to use, and we now
must decide how we will gain access to them. Exploitation can be both done at
the electronic level or the social engineering level. By social engineering level
we mean trash digging and explorative phone calls to gather data that may be
used to crack passwords. This is important to remember all to often due security
administrator forget that a system does not need to be exploited electronically if
proper personnel security measures are not in place.
Base Camp Development
Now that our attacker has penetrated the network and gained super user
access to a host or hosts they can now begin there base camp development.
Base camp development involves setting up some type of stealth
communications between the attacker and the internal network. An example of
these types of communications systems is Loki. Loki is a client server system
that utilizes ICMP (Internet Control Message Protocol) to setup a VPN between
their workstation, and the compromised host.
Operations
At this point we have successfully accomplished four of the five stages of
the attack model. The fifth and final stage is beginning operations. In the
operations stage we utilize our base camp to collect and send appropriate data
back to a central machine used by the attacker. An example of an application
that would run on the compromised host would be a packet sniffer. A packet
sniffer could collect passwords and other sensitive data. In addition to packet
sniffing we could perform document searches and denial of service attacks. The
idea behind operations and base camp development is that we are now an
internal trusted user.
3.2.2 Correlating
Correlating is the process of analyzing data collected from multiple data
sources to discover possible relationships (Cramer, 1998). Correlation allows us
to develop new information utilizing a variety of different methods. Below are a
list of commonly used correlation methods:
Correlation Methods
 Source and Destination Relationships
 Matching suspicious activity with relatively uninteresting activity
 Associating ports and services
Source and Destination Relationships
The ability to relate source and destination relationships will allow you to
begin to understand where a potential attack may be originating (i.e. foreign
country, academic institution). In addition it may allow you to quickly decide if an
item of interest is an actual attack or not. Example given if a source address is
attacker.somedomain.edu you can gather that the potential attack is originating
from an academic institution. In turn to this if a source address is
ns.company.com and the destination is K.ROOT-SERVERS.NET you can quickly
tell that this a name server pulling its latest update from a root server.
Matching Suspicious Activity
A key characteristic of good intrusion detection systems, is one that
produces a large amount of data. If a system remains green for long periods of
time 9 times out of 10 your are not seeing any potential attacks or successful
attacks. It is because of this characteristic that the ability to mach suspicious
activity with uninteresting activity is key. An example of matching suspicious
activity could be an attacker sends an icmp echo to a machine, and then follows
up with a DNS zone transfer. The unauthorized zone transfer is definitely
interesting activity, but the icmp echo may not be. In fact you probably will not be
alarming on a single icmp echo, but you would be on DNS Transfers. By going
back and looking at our data we find that the potential attacker had probed the
target first before attempting to transfer a DNS zone.
Associating Ports and Services
Another method of correlation is the association of ports and services to
intrusion detection data. By associating ports and services we mean analyzing
data and determine which protocols were being used (http, ftp, telnet, rcp, etc).
This will allow us to interpret what the potential attacker was actually doing. It
may also allows to build exclusion records by determining what ports and
services are normal on the segment we are monitoring.
3.2.3 Profiling
Profiling is placing the source of a potential attack into a group profile to
gain a better understanding of why something is happening. These profiles are
listed bellow:
Group Profiles
 Academic
 Punk
 Professional
 Disgruntled Employee
Academic
The academic is typically out for the challenge; most are computer
science students who attempt to hack systems for the heat of the game. Most
will not do any damage and in the end inform the system administrator of their
systems weaknesses. The academic hacker has been around for years, and will
continue to be a player in the world of intrusions, and attack development.
Punk
Today’s punks are most commonly referred to as the script kiddies, most
have no idea how the exploits they attempt to use work. These kiddies or punks
main objective is to deny, degrade, disrupt, and possibly destroy your network.
The key concept to remember is that Punks and script kiddies tend to have no
mission or objectives. Punks can usually be detected with ease; most times they
use older exploits that intrusion detection systems already have signatures for.
Professional
The first and most important point to make about the professional is that
they have a list of goals and objectives. It is not common that they will not use
known attacks to penetrate a system. Professionals will use exploits that they
develop or receive knowledge of from other professionals. These individuals or
groups understand the exploits they are using to penetrate a network.
Disgruntled Employee
The last of our category in our group profiles is the disgruntled employee.
First thing, a disgruntled employee usually does not need to utilize any exploits.
They commonly have full access to the data or systems they wish to attack. The
disgruntled employee for the most part is out to destroy data and systems,
because they are valid users it may be difficult to detect any malicious activity
until it has been performed. Disgruntled employees usually have a lose list of
goals and objectives. For the most part they want to destroy, but they are sure
what it is that would be of value to destroy.
4.0 Conclusion
We have reviewed multiple technologies and analysis methods that make
up an intrusion detection system. It is important to remember that an intrusion
detection technology alone is only a reactive solution. In order to create a
proactive system with must utilize analysis methods to analyze intrusion
detection data. Utilizing analysis methods such as SAM we can discover and
prevent new attacks. Intrusion detection continues to prove to be an important
part of an enterprises’ security architecture, because of this we see a strong
business case for the adoption of intrusion detection systems.