computer security: principles and practice
DESCRIPTION
Computer Security: Principles and Practice. Chapter 6 – Intrusion Detection. First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown. Intruders. significant issue hostile/unwanted trespass from benign to serious user trespass unauthorized logon, privilege abuse - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/1.jpg)
Computer Security: Computer Security: Principles and PracticePrinciples and Practice
First EditionFirst Edition
by William Stallings and Lawrie Brownby William Stallings and Lawrie Brown
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 6 – Chapter 6 – Intrusion DetectionIntrusion Detection
![Page 2: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/2.jpg)
IntrudersIntruders
significant issue hostile/unwanted trespasssignificant issue hostile/unwanted trespass from benign to seriousfrom benign to serious
user trespassuser trespass unauthorized logon, privilege abuseunauthorized logon, privilege abuse
software trespasssoftware trespass virus, worm, or trojan horsevirus, worm, or trojan horse
classes of intruders:classes of intruders: masquerader, misfeasor, clandestine usermasquerader, misfeasor, clandestine user
![Page 3: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/3.jpg)
Examples of IntrusionExamples of Intrusion
remote root compromiseremote root compromise web server defacementweb server defacement guessing / cracking passwordsguessing / cracking passwords copying viewing sensitive data / databasescopying viewing sensitive data / databases running a packet snifferrunning a packet sniffer distributing pirated softwaredistributing pirated software using an unsecured modem to access netusing an unsecured modem to access net impersonating a user to reset passwordimpersonating a user to reset password using an unattended workstationusing an unattended workstation
![Page 4: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/4.jpg)
Security Intrusion & DetectionSecurity Intrusion & Detection
Security IntrusionSecurity Intrusiona security event, or combination of multiple security a security event, or combination of multiple security events, that constitutes a security incident in which an events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a intruder gains, or attempts to gain, access to a system (or system resource) without having system (or system resource) without having authorization to do so.authorization to do so.
Intrusion DetectionIntrusion Detectiona security service that monitors and analyzes system a security service that monitors and analyzes system events for the purpose of finding, and providing real-events for the purpose of finding, and providing real-time or near real-time warning of attempts to access time or near real-time warning of attempts to access system resources in an unauthorized manner.system resources in an unauthorized manner.
![Page 5: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/5.jpg)
HackersHackers
motivated by thrill of access and statusmotivated by thrill of access and status hacking community a strong meritocracyhacking community a strong meritocracy status is determined by level of competencestatus is determined by level of competence
benign intruders might be tolerablebenign intruders might be tolerable do consume resources and may slow performancedo consume resources and may slow performance can’t know in advance whether benign or maligncan’t know in advance whether benign or malign
IDS / IPS / VPNs can help counterIDS / IPS / VPNs can help counter awareness led to establishment of CERTsawareness led to establishment of CERTs
collect / disseminate vulnerability info / responsescollect / disseminate vulnerability info / responses
![Page 6: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/6.jpg)
Hacker Behavior ExampleHacker Behavior Example
1.1. select target using IP lookup tools select target using IP lookup tools 2.2. map network for accessible services map network for accessible services 3.3. identify potentially vulnerable services identify potentially vulnerable services 4.4. brute force (guess) passwordsbrute force (guess) passwords5.5. install remote administration tool install remote administration tool 6.6. wait for admin to log on and capture wait for admin to log on and capture
passwordpassword7.7. use password to access remainder of use password to access remainder of
networknetwork
![Page 7: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/7.jpg)
Criminal EnterpriseCriminal Enterprise organized organized groups of hackers now a threatgroups of hackers now a threat
corporation / government / loosely affiliated gangscorporation / government / loosely affiliated gangs typically youngtypically young often Eastern European or Russian hackersoften Eastern European or Russian hackers common target credit cards on e-commerce servercommon target credit cards on e-commerce server
criminal hackers usually have specific targetscriminal hackers usually have specific targets once penetrated act quickly and get outonce penetrated act quickly and get out IDS / IPS help but less effectiveIDS / IPS help but less effective sensitive data needs strong protectionsensitive data needs strong protection
![Page 8: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/8.jpg)
Criminal Enterprise BehaviorCriminal Enterprise Behavior
1.1. act quickly and precisely to make their act quickly and precisely to make their activities harder to detectactivities harder to detect
2.2. exploit perimeter via vulnerable portsexploit perimeter via vulnerable ports
3.3. use trojan horses (hidden software) to use trojan horses (hidden software) to leave back doors for re-entryleave back doors for re-entry
4.4. use sniffers to capture passwordsuse sniffers to capture passwords
5.5. do not stick around until noticeddo not stick around until noticed
6.6. make few or no mistakes. make few or no mistakes.
![Page 9: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/9.jpg)
Insider AttacksInsider Attacks
among most difficult to detect and preventamong most difficult to detect and prevent employees have access & systems knowledgeemployees have access & systems knowledge may be motivated by revenge / entitlementmay be motivated by revenge / entitlement
when employment terminatedwhen employment terminated taking customer data when move to competitortaking customer data when move to competitor
IDS / IPS may help but also need:IDS / IPS may help but also need: least privilege, monitor logs, strong authentication, least privilege, monitor logs, strong authentication,
termination process to block access & mirror datatermination process to block access & mirror data
![Page 10: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/10.jpg)
Insider Behavior ExampleInsider Behavior Example
1.1. create network accounts for themselves and create network accounts for themselves and their friendstheir friends
2.2. access accounts and applications they wouldn't access accounts and applications they wouldn't normally use for their daily jobsnormally use for their daily jobs
3.3. e-mail former and prospective employerse-mail former and prospective employers4.4. conduct furtive instant-messaging chatsconduct furtive instant-messaging chats5.5. visit web sites that cater to disgruntled visit web sites that cater to disgruntled
employees, such as f'dcompany.comemployees, such as f'dcompany.com6.6. perform large downloads and file copyingperform large downloads and file copying7.7. access the network during off hours.access the network during off hours.
![Page 11: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/11.jpg)
Intrusion TechniquesIntrusion Techniques
objective to gain access or increase privilegesobjective to gain access or increase privileges initial attacks often exploit system or software initial attacks often exploit system or software
vulnerabilities to execute code to get backdoorvulnerabilities to execute code to get backdoor e.g. buffer overflowe.g. buffer overflow
or to gain protected informationor to gain protected information e.g. password e.g. password guessing or acquisitionguessing or acquisition
![Page 12: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/12.jpg)
Intrusion Detection SystemsIntrusion Detection Systems
classify intrusion detection systems (IDSs) as:classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host activityHost-based IDS: monitor single host activity Network-based IDS: monitor network trafficNetwork-based IDS: monitor network traffic
logical components:logical components: sensors - collect datasensors - collect data analyzers - determine if intrusion has occurredanalyzers - determine if intrusion has occurred user interface - manage / direct / view IDSuser interface - manage / direct / view IDS
![Page 13: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/13.jpg)
IDS PrinciplesIDS Principles
assume intruder behavior differs from assume intruder behavior differs from legitimate userslegitimate users expect overlap as shownexpect overlap as shown observe deviationsobserve deviations
from past historyfrom past history problems of:problems of:
• false positivesfalse positives• false negativesfalse negatives• must compromisemust compromise
![Page 14: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/14.jpg)
IDS RequirementsIDS Requirements
run continuallyrun continually be fault tolerantbe fault tolerant resist subversionresist subversion impose a minimal overhead on systemimpose a minimal overhead on system configured according to system security policies configured according to system security policies adapt to changes in systems and usersadapt to changes in systems and users scale to monitor large numbers of systemsscale to monitor large numbers of systems provide graceful degradation of serviceprovide graceful degradation of service allow dynamic reconfigurationallow dynamic reconfiguration
![Page 15: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/15.jpg)
Host-Based IDSHost-Based IDS
specialized software to monitor system activity to specialized software to monitor system activity to detect suspicious behaviordetect suspicious behavior primary purpose is to detect intrusions, log suspicious primary purpose is to detect intrusions, log suspicious
events, and send alertsevents, and send alerts can detect both external and internal intrusionscan detect both external and internal intrusions
two approaches, often used in combination:two approaches, often used in combination: anomaly detection - defines normal/expected behavioranomaly detection - defines normal/expected behavior
• threshold detectionthreshold detection
• profile basedprofile based signature detection - defines proper behaviorsignature detection - defines proper behavior
![Page 16: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/16.jpg)
Audit RecordsAudit Records
a fundamental tool for intrusion detection a fundamental tool for intrusion detection two variants:two variants:
native audit records - provided by O/Snative audit records - provided by O/S• always available but may not be optimumalways available but may not be optimum
detection-specific audit records - IDS specificdetection-specific audit records - IDS specific• additional overhead but specific to IDS taskadditional overhead but specific to IDS task• often log individual elementary actionsoften log individual elementary actions• e.g. may contain fields for: subject, action, object, e.g. may contain fields for: subject, action, object,
exception-condition, resource-usage, time-stampexception-condition, resource-usage, time-stamp
![Page 17: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/17.jpg)
Anomaly DetectionAnomaly Detection
threshold detectionthreshold detection checks excessive event occurrences over timechecks excessive event occurrences over time alone a crude and ineffective intruder detectoralone a crude and ineffective intruder detector must determine both thresholds and time intervalsmust determine both thresholds and time intervals
profile basedprofile based characterize past behavior of users / groupscharacterize past behavior of users / groups then detect significant deviationsthen detect significant deviations based on analysis of audit recordsbased on analysis of audit records
• gather metrics: counter, guage, interval timer, resource utilizationgather metrics: counter, guage, interval timer, resource utilization• analyze: mean and standard deviation, multivariate, markov analyze: mean and standard deviation, multivariate, markov
process, time series, operational modelprocess, time series, operational model
![Page 18: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/18.jpg)
Signature DetectionSignature Detection
observe events on system and applying a observe events on system and applying a set of rules to decide if intruderset of rules to decide if intruder
approaches:approaches: rule-based anomaly detectionrule-based anomaly detection
• analyze historical audit records for expected analyze historical audit records for expected behavior, then match with current behaviorbehavior, then match with current behavior
rule-based penetration identificationrule-based penetration identification• rules identify known penetrations / weaknessesrules identify known penetrations / weaknesses• often by analyzing attack scripts from Internetoften by analyzing attack scripts from Internet• supplemented with rules from security expertssupplemented with rules from security experts
![Page 19: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/19.jpg)
Distributed Host-Based IDSDistributed Host-Based IDS
![Page 20: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/20.jpg)
Distributed Host-Based IDSDistributed Host-Based IDS
![Page 21: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/21.jpg)
Network-Based IDSNetwork-Based IDS
network-based IDS (NIDS)network-based IDS (NIDS) monitor traffic at selected points on a networkmonitor traffic at selected points on a network in (near) real time to detect intrusion patternsin (near) real time to detect intrusion patterns may examine network, transport and/or may examine network, transport and/or
application level protocol activity directed application level protocol activity directed toward systemstoward systems
comprises a number of sensorscomprises a number of sensors inline (possibly as part of other net device)inline (possibly as part of other net device) passive (monitors copy of traffic)passive (monitors copy of traffic)
![Page 22: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/22.jpg)
NIDS Sensor DeploymentNIDS Sensor Deployment
![Page 23: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/23.jpg)
Intrusion Detection TechniquesIntrusion Detection Techniques signature detectionsignature detection
at application, transport, network layers; at application, transport, network layers; unexpected application services, policy violationsunexpected application services, policy violations
anomaly detectionanomaly detection of denial of service attacks, scanning, wormsof denial of service attacks, scanning, worms
when potential violation detected sensor when potential violation detected sensor sends an alert and logs informationsends an alert and logs information used by analysis module to refine intrusion used by analysis module to refine intrusion
detection parameters and algorithmsdetection parameters and algorithms by security admin to improve protectionby security admin to improve protection
![Page 24: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/24.jpg)
Distributed Adaptive Intrusion Distributed Adaptive Intrusion DetectionDetection
![Page 25: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/25.jpg)
Intrusion Intrusion Detection Detection Exchange Exchange
FormatFormat
![Page 26: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/26.jpg)
HoneypotsHoneypots
are decoy systemsare decoy systems filled with fabricated infofilled with fabricated info instrumented with monitors / event loggersinstrumented with monitors / event loggers divert and hold attacker to collect activity infodivert and hold attacker to collect activity info without exposing production systemswithout exposing production systems
initially were single systemsinitially were single systems more recently are/emulate entire networksmore recently are/emulate entire networks
![Page 27: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/27.jpg)
Honeypot Honeypot DeploymentDeployment
![Page 28: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/28.jpg)
SNORTSNORT lightweight IDSlightweight IDS
real-time packet capture and rule analysisreal-time packet capture and rule analysis passive or inlinepassive or inline
![Page 29: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/29.jpg)
SNORT RulesSNORT Rules
use a simple, flexible rule definition languageuse a simple, flexible rule definition language with fixed header and zero or more optionswith fixed header and zero or more options header includes: action, protocol, source IP, source header includes: action, protocol, source IP, source
port, direction, dest IP, dest portport, direction, dest IP, dest port many optionsmany options example rule to detect TCP SYN-FIN attack:example rule to detect TCP SYN-FIN attack:
Alert tcp $EXTERNAL_NET any -> $HOME_NET any \Alert tcp $EXTERNAL_NET any -> $HOME_NET any \
(msg: "SCAN SYN FIN"; flags: SF, 12; \(msg: "SCAN SYN FIN"; flags: SF, 12; \
reference: arachnids, 198; classtype: attempted-recon;)reference: arachnids, 198; classtype: attempted-recon;)
![Page 30: Computer Security: Principles and Practice](https://reader030.vdocuments.us/reader030/viewer/2022020319/568135d2550346895d9d3ddd/html5/thumbnails/30.jpg)
SummarySummary
introduced intruders & intrusion detectionintroduced intruders & intrusion detection hackers, criminals, insidershackers, criminals, insiders
intrusion detection approachesintrusion detection approaches host-based (single and distributed)host-based (single and distributed) networknetwork distributed adaptivedistributed adaptive exchange formatexchange format
honeypotshoneypots SNORT exampleSNORT example