Topic 1
At the end of the lesson, the students are
able to:
 explain
different terminologies used in IDS
 make comparisons between different types
of IDSs
 explain the roles of IDS
mms©
2
 Threats
 Intrusion
detection system (IDS)
 Terminologies
 Types of IDS
 Roles of IDS
3
4
 Over


past 20 years
attackers have gained in intensity and frequency
Tools have evolved
 Today’s


attacker is motivated by profit
Where is the money?
In the applications!
©2009 KRvW Associates, LLC
5
 Network



and OS-level
Port-scanning and probing – stealth technique
Vulnerability scanning
Vulnerability exploits
 Application



Specific to application layer
Web apps common
OWASP Top-10
 Are

attacks
you under attack?
How do you know?
©2009 KRvW Associates, LLC
6

Port-scanning and probing

Remote inventory of all doors and windows




The key is to avoid detection
Stealth technique
Vulnerability scanning

What are the weak points?



what’s available?
Bad locks, unlocked doors, unpatched servers,
misconfigurations
Inventory of weaknesses
Vulnerability exploits


Now we know the weak points
Exploit them

Kick door in, pick the lock, buffer overflow, malware
©2009 KRvW Associates, LLC
7
Go for flaws in business software
 Specific to application
 XSS (Cross-site Scripting)
 SQL injection
 CSRF (Cross-Site Request Forgery)
 Authentication
 Access control
 Ad infinitum (~ “to infinity”)

©2009 KRvW Associates, LLC
8

XSS (Cross-site Scripting)


a type of computer security vulnerability typically found in web
applications that enables malicious attackers to inject client-side
script into web pages viewed by other users. An exploited crosssite scripting vulnerability can be used by attackers to bypass
access controls such as the same origin policy.
CSRF (Cross-Site Request Forgery)

a one-click attack or session riding and abbreviated as CSRF
("sea-surf") or XSRF, is a type of malicious exploit of a website
whereby unauthorized commands are transmitted from a user that
the website trusts. Unlike cross-site scripting (XSS), which exploits
the trust a user has for a particular site, CSRF exploits the trust
that a site has in a user's browser.
9


The Open Web Application Security Project (OWASP) Top Ten
Project provides a minimum standard for web application
security.
It lists the top ten most critical web application security
vulnerabilities, representing a broad consensus.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Injection
Cross Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery (CSRF)
Security Misconfiguration
Failure to Restrict URL Access
Unvalidated Redirects and Forwards
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
Project members include a variety of security experts from
around the world who have shared their expertise to produce this
list.
10

Intrusion
Successful attempts of an intruder gaining access to machines they would
otherwise have no access to
 Destruction: After intrusion, any loss of data/information


Malicious code


Denial-of-service (DoS)


More of an inconvenience than a threat, spam is usually described as
unsolicited email, or email that you have not requested or do not want
Mailbombs


Websites claiming to be someone they are not, (e.g. e-banking systems) in
order to gain information they should not have (e.g. username and
passwords)
Spamming


Services provided by your website becomes inaccessible due to too many
requests from other sources
Forgery


E.g. virus, worm, etc.
Large amounts of email coming from one source causing DoS on mail servers
Hack threat

mms©
Scanning activities. People looking for a way in to your system.
11
 Two
1.
2.
types:
Passive attacks
Active attacks
12



Learn or make use of information from the
system but does not affect system
resources
Eavesdropping, monitoring, or
transmissions
Two types:
1.
2.
Release of message contents
Traffic analysis
13

Release of message contents for a
telephone conversation, an electronic mail
message, and a transferred file are subject
to these threats
14

Traffic analysis

Encryption masks the contents of what is
transferred so even if obtained by someone,
they would be unable to extract information
15


Involve some modification of the data
stream or the creation of a false stream
Four categories:
1.
2.
3.
4.
Masquerade
Replay
Modification
Denial of service
16

Masquerade takes place when one entity
pretends to be a different entity.
17

Replay involves the passive capture of a data
unit and its subsequent retransmission to
produce an unauthorized effect.
18

Modification of messages means that some
portion of a legitimate message is altered, or
that messages are delayed or reordered, to
produce an unauthorized effect.
19
Denial of service (DoS) prevents or inhibits
the normal use or management of
communications facilities


disable network or overload it with messages
20



Intruders: Intruders are attackers who try to find the way to hack
information by breaking the privacy of a network like LAN or
internet.
Masquerader: A user who does not have the authority to a system,
but tries to access the information as an authorized user. They are
generally outside users.
Misfeasor: They are commonly internal users and can be of two
types:
1.
2.

An authorized user with limited permissions.
A user with full permissions but misuses his powers.
Clandestine user: A user who acts as a supervisor and tries to use
his privileges so as to avoid being captured.
 Someone who seizes supervisory control of the system and uses this
control to evade auditing and access controls or to suppress audit
collection.

IDS can also be system-specific using custom tools and honey pots.
In the case of physical building security, IDS is defined as an alarm
system designed to detect unauthorized entry.
21





~ attack on a website that changes the visual appearance of the
site. These are typically the work of system crackers, who break
into a web server and replace the hosted website with one of
their own.
A message is often left on the webpage stating his or her
pseudonym and the output from "uname -a" and the "id"
command along with "shout outs" to his or her friends.
Sometimes, the Defacer makes fun of the system administrator
for failing to maintain server security.
Most times - harmless, but can sometimes be used as a
distraction to cover up more sinister actions such as uploading
malware.
A high-profile website defacement was carried out on the
website of the company SCO Group following its assertion that
Linux contained stolen code. The title of the page was changed
from "Red Hat v. SCO" to "SCO vs. World," with various satirical
content following.
[Linux news documenting SCO defacement]
22
 Unaccountable
disk utilization
 Unaccountable file system modification
 Unaccountable CPU utilization
 Network saturation
 Unknown process using sockets
 Abnormal network/system activity
mms©
24
25
 Simply
~ knowing you are under attack
 But it’s not that simple…
 How do you know?
 It might not be obvious
©2009 KRvW Associates, LLC
26

generally detects unwanted manipulations of computer
systems, mainly through the Internet. The manipulations
may take the form of attacks by crackers.

used to detect several types of malicious behaviors that
can compromise the security and trust of a computer
system. This includes network attacks against vulnerable
services, data driven attacks on applications, host based
attacks such as privilege escalation, unauthorized logins
and access to sensitive files, and malware (viruses, trojan
horses, and worms).
27




An IDS is a device (or application) that monitors network and/or
system activities for malicious activities or policy violations and
produces reports to a Management Station.
Intrusion prevention is the process of performing intrusion detection
and attempting to stop detected possible incidents.
Intrusion detection and prevention systems (IDPS) are primarily
focused on identifying possible incidents, logging information about
them, attempting to stop them, and reporting them to security
administrators. In addition, organizations use IDPSs for other
purposes, such as identifying problems with security policies,
documenting existing threats, and deterring individuals from violating
security policies. IDPSs have become a necessary addition to the
security infrastructure of nearly every organization.
IDPSs typically record information related to observed events, notify
security administrators of important observed events, and produce
reports. Many IDPSs can also respond to a detected threat by
attempting to prevent it from succeeding. They use several response
techniques, which involve the IDPS stopping the attack itself,
changing the security environment (e.g., reconfiguring a firewall), or
changing the attack’s content.
[Guide to IDPS, NIST, 2007]
28
Assume the behavior of the intruder differs from
the legitimate user
 Statistical anomaly detection




Collect data related to the behavior of legitimate users over
a period of time
Statistical tests are used to determine if the behavior is not
legitimate behavior
Rule-based detection


Rules are developed to detect deviation from previous
usage pattern
Expert system searches for suspicious behavior
29

Audit record

Native audit records


All OSs include accounting software that collects information on
user activity
Detection-specific audit records

Collection facility can be implemented that generates audit
records containing only that information required by the IDS
30
 Intrusion






detection system (IDS)
~ a software, hardware or combination of both
Used to detect intruder activity
Snort – an open source IDS
An IDS may have different capabilities depending
upon how complex and sophisticated the
components are
IDS appliances that are a combination of hw & sw
are available from many companies
IDS may use signatures, anomaly-based
techniques or both.
31
 Network



IDS (NIDS)
Capture data packets traveling on the network
media (cables, wireless) and match them to a
database of signatures.
Depending upon whether a packet is matched
with an intruder signature, an alert is generated
or the packet is logged to a file or database.
One major use of Snort is as a NIDS.
32
 Host



IDS (HIDS)
Host-based IDS are installed as agents on a host.
Can look into system and application log files to
detect any intruder activity.
Two types:


Reactive – they inform you only when something has
happened.
Proactive – they can sniff the network traffic coming
to a particular host on which the HIDS is installed and
alert you in real time.
33

Signatures





~ the pattern you look for inside a data packet.
Used to detect one or multiple types of attacks, e.g.
the presence of “scripts/iisadmin” in a packet may
indicate intruder activity
May present in different parts of a packet depending
upon the nature of the attack, e.g. in the IP header,
transport layer header (TCP or UDP header) and/or
application layer header or payload
Some vendor-specific IDS need updates from vendor
to add new signatures when a new type of attack is
discovered.
Snort allows you to update signatures yourself.
34
 Alerts




~ any sort of user notification of an intruder
activity.
to inform security administrator when IDS
detects an intruder
Can be in the forms of pop-up windows, logging
to a console, sending emails, etc.
Stored in log files or DBs – for later analysis by
experts
35
 Logs





Log messages are usually saved in files
Can be saved either in text or binary format.
The binary files can be viewed later using Snort
or tcpdump program.
Barnyard – can also be used to analyze binary log
files generated by Snort
Logging in binary format is faster because it
saves some formatting overhead. In high-speed
Snort implementations, logging in binary mode is
necessary.
36

False positive / False alarms

~ alerts generated due to an indication that is not an intruder
activity, e.g.


misconfigured internal hosts may sometimes broadcast messages
that trigger a rule resulting in generation of a false alert.
some routers, e.g. Linksys home routers, generate lots of UPnP
(Universal Plug and Play) related alerts
False positive errors will lead IDS users to ignore its output, as
it will classify legitimate actions as intrusions.
 If too many false positives are generated, the operators will
come to ignore the output of the system over time, which may
lead to an actual intrusion being detected but ignored by the
users.
 The occurrences of this type of error should be minimized (it
may not be possible to completely eliminate them) so as to
provide useful information to the operators.
 To avoid false alarms, you have to modify and tune different
default rules. In some cases you may need to disable some
rules.

37
 False




negative / miss
occurs when an action proceeds even though it is
an intrusion.
False negative errors are more serious than false
positive errors because they give a misleading
sense of security.
By allowing all actions to proceed, a suspicious
action will not be brought to the attention of the
operator.
The IDS is now a liability as the security of the
system is less than it was before the intrusion
detector was installed
38
 Sensor

The machine on which an IDS is running is also
called the sensor – it is used to “sense” the
network.
39
 Network
IDS (NIDS)
 Host-based
IDS (HIDS)
 Protocol-based
 Application
 Hybrid
IDS (PIDS)
Protocol-based IDS (APIDS)
IDS
40
 NIDS



independent platform which identifies intrusions
by examining network traffic and monitors
multiple hosts.
gain access to network traffic by connecting to a
hub, network switch configured for port
mirroring, or network tap.
Network “camera” monitors from afar



Where is the camera located?
What is it pointed at?
An example of a NIDS is Snort.
41
 HIDS


consists of an agent on a host which identifies
intrusions by analyzing system calls, application
logs, file-system modifications (binaries,
password files, capability/ACL databases) and
other host activities and state.
“Camera” located on each computer



Collects system-level log data, on the system
What do they see?
An example of a HIDS is OSSEC.
42
 PIDS



consists of a system or agent that would typically
sit at the front end of a server, monitoring and
analyzing the communication protocol between a
connected device (a user/PC or system).
For a web server this would typically monitor the
HTTPS protocol stream and understand the HTTP
protocol relative to the web server/system it is
trying to protect.
Where HTTPS is in use then this system would
need to reside in the "shim" or interface between
where HTTPS is un-encrypted and immediately
prior to it entering the Web presentation layer.
43
 APIDS


consists of a system or agent that would typically
sit within a group of servers, monitoring and
analyzing the communication on application
specific protocols.
For example; in a web server with database this
would monitor the SQL protocol specific to the
middleware/ business-login as it transacts with
the database.
44
 Hybrid



IDS
combines two or more approaches.
Host agent data is combined with network
information to form a comprehensive view of the
network.
An example of a Hybrid IDS is Prelude.
45
Sensors – generate security events
2. Console - monitor events and alerts and
control the sensors
3. Central Engine - records events logged by the
sensors in a database and uses a system of
rules to generate alerts from security events
received.
 There are several ways to categorize an IDS
depending on the type and location of the
sensors and the methodology used by the engine
to generate alerts. In many simple IDS
implementations all three components are
combined in a single device or appliance.
1.
46
 In

a passive system
The IDS sensor detects a potential security
breach, logs the information and signals an alert
on the console and/or owner.
 In
a reactive system, a.k.a. intrusion
prevention system (IPS)

the IDS responds to the suspicious activity by
resetting the connection or by reprogramming
the firewall to block network traffic from the
suspected malicious source. This can happen
automatically or at the command of an operator.
47
 Positive

Assume everything is dangerous/harmful unless
proven safe
 Negative


Assume everything is safe unless proven
dangerous
E.g. anti virus
 Which do you prefer?
 Almost all IDS is based on (-) approach
©2009 KRvW Associates, LLC
48


Though both relate to network security, but different.
Firewall
looks outwardly for intrusions in order to stop them from
happening.
 limits access between networks to prevent intrusion and do not
signal an attack from inside the network.
 A system which terminates connections is called an IPS, and is
another form of an application layer firewall.


IDS
evaluates a suspected intrusion once it has taken place and
signals an alarm.
 also watches for attacks that originate from within a system
 by examining network communications, identifying heuristics
and patterns (often known as signatures) of common computer
attacks, and taking action to alert operators.

49
 IDS
is an important component of defensive
measures protecting computer systems and
networks from abuse.
[John Mc Hugh, Alan Christie, and Julia Allen,
“Defending Yourself: The Role of Intrusion Detection Systems”,
IEEE Software, 2000.]
50
mms©
51
 To

Identify malicious or suspicious activities
 To

detect misuse
detect anomaly
Note activity that deviates from normal
behaviour
 To
conduct forensics
 To record and analyze network traffic
 To protect intellectual property
 To respond to the activity
mms©
52
 To
initiate sound, business-like incident
response process




Minimize damage
Maintain evidence
Protect the business
Criminal prosecution
 IDS
need to enable these things
©2009 KRvW Associates, LLC
53
Monitor and analyze user and system activities
 Auditing of system and configuration
vulnerabilities
 Assess integrity of critical system and data files
 Recognition of pattern reflecting known attacks
 Statistical analysis for abnormal activities
 Data trail, tracing activities from point of entry
up to the point of exit
 Installation of decoy servers (honey pots)
 Installation of vendor patches (some IDS)

mms©
54
mms©
55
 Attackers
don’t want to get caught
 ~ bypass detection by creating different
states on the IDS and on the targeted
computer.
 The adversary accomplishes this by
manipulating either the attack itself or the
network traffic that contains the attack.
 Discuss:

Ways to evade/defeat the IDS? i.e. to avoid being
detected
56

They will use techniques to try to confuse your IDS


Packet fragmentation (e.g. fragroute) – time-outs [link]
Insertion/evasion attacks









Requires complete reassembly of packets and knowledge of end
system exception handling
Encryption
DDoS attack (CPU, memory, bandwidth, false positives)
Polymorphism
Data encoding
Javascript obfuscation
Source spoofing
Distributed sources
Stealth probes
57



we can manually
redefine the fragments
(in a packet), put a
fragment 100 (IP) with a
bogus port 80.
IDS assume port 80 is
safe, and let it through.
But when the packet is
reassembled, it is
actually on port 443,
and contains the nasty
data/program xyzzy.
Port 443
IP
1
2
3
TCP
Data
[xyzzy]
4
58
 If
your attacker works for you
 Signature systems not likely to yield good
results
 Anomaly systems
 If attacker knows how IDS is deployed, it can
likely be fooled
©2009 KRvW
59
 Internal


NIDS can spot forbidden traffic
AIM, Skype, VPN
File/system sharing
 This
can alert security team to policy
violations
 Beware of cultural impact
 You do have a written policy, right?


General counsel coordination
Expectation of privacy
©2009 KRvW
60

Snort


Sorcefire
Open source,
commercially supported
Bro (freeware)
 Cisco Secure IDS
 Cyclops

©2009 KRvW
Dragon Sensor
 NetDetector – Cisco
 RealSecure Network –
IBM
 Shoki (freeware)
 SecureNet IDS
 SecurityMetrics

61
GFI Events Manager
 RealSecure Server Sensor
 Symantec Host IDS
 Swatch
 CSA Storm Watch
 SNIPS
 Sourcefire RUA
 Snare Agents
 NetIQ Security Manager

©2009 KRvW
62
Network Security
Platform (McAfee)
 RealSecure Guard
 IntruPro-IPS
 IPS-1 (Checkpoint)
 DefensePro
 UnityOne
 Strata Guard

©2009 KRvW
 Snort
Inline
 StoneGate IPS
 iPolicy Intrusion
Prevention Wall
 Netscreen
 SecureNet IPS
 DeepNines SES
 Sourcefire IPS
63
McAfee HIPS
 RealSecure Server
Sensor
 Dragon IP
 DefenseWall HIPS
 Primary Response
 Cisco Security Agent
 Host Intrusion
Prevention Service

©2009 KRvW
 Threat
Sentry
 Proventia Desktop
 WehnTrust
 System Safety
Monitor
 Prevx ABC
 AppDefend
 Third Brigade
64
 IDS
is only one piece of the whole security
puzzle
 IDS must be supplemented by other security
and protection mechanisms
 They are very important parts of your
security architectures but does not solve all
your problems
 The usage of different types of IDS depends
on the type of the user/organization
 Different types of IDS has its own strengths
and weaknesses
65

Guide to Intrusion Detection and Prevention Systems (IDPS), NIST
CSRC special publication SP 800-94, released 02/2007

Whitman, Michael, and Herbert Mattord. Principles of
Information Security. Canada: Thomson, 2009. Pages 290 & 301

"Symantec Internet Security Threat Report: Trends for JulyDecember 2007 (Executive Summary)" (PDF). Symantec Corp..
April 2008. pp. 1–3. Retrieved May 11, 2008.

Shiflett, Chris (December 13, 2004). "Security Corner: Cross-Site
Request Forgeries". php|architect (via shiflett.org). Retrieved
2008-07-03.
Acknowledgement: Parts of the course materials are the courtesy of Mrs.
Madihah Mohd Saudi and Dr. Solahuddin Shamsuddin; and Ken van Wyk,
KRvW Associates, LLC @ Adastra “Intrusion Detection and Prevention InDepth” professional course (25-27 May 2009, KL)
66