ids -chapter2 types of ids
DESCRIPTION
IDsTRANSCRIPT
-
DahliaAsyiqin bt AhmadZainaddin
1
-
Classifications 1of2
Signaturevs.AnomalybasedDefinesmodelforassessingpolicyviolations
A ti P iActivevs.PassiveProbing(snoop)versusmonitoring
Hostvs.NetworkDefinestheeventsourceDefinestheeventsource
2
-
Classifications 2of2
Centralizedvs.DistributedLocationofanalysis
R lTi I lRealTimevs.IntervalDetermineswhennotificationtakesplace
3
-
WaystoDetectanIntrusionSignatureRecognition
Catchtheintrusionsintermsofthecharacteristicsofknownattacksorsystemvulnerabilities.
AnomalyDetection Detectanyactionthatsignificantlydeviatesfromthenormalbehavior.
4
-
Signature RecognitionSignatureRecognition
alsoknownasmisuserecognitionBasedonknownattackactions.UsemodelsofbadbehaviorEachsignatureisanobservedpolicyviolation
Examples:Bufferoverflowstrings,SQLinjectionattacks,virusdefinitions
DetectionoccurswhenbadbehaviorisobservedDetectionoccurswhenbadbehaviorisobservedListofsignaturesmustbekeptcurrent
5
-
SignatureRecognitiong gMethods&System
Method System
Rule based Languages RUSSEL P BESTRule-based Languages RUSSEL,P-BEST
State Transition Analysis STAT f il (STAT USTAT NSTAT N tSTAfamily(STAT,USTAT,NSTAT,NetSTAT)
Colored Petri Automata IDIOT
Expert System IDES,NIDX,P-BEST,ISOA
Case Based reasoning AutiGUARD
6
-
Anomaly DetectionAnomalyDetection
UsesmodelofgoodbehaviorDetectionoccurswhenobservedbehaviordeviatesf db h ifromgoodbehaviorUsefulfordetectingnovelattacksM i f l i iMaygenerateexcessivefalsepositives
7
-
AnomalyDetectionMethods&ySystem
Method SystemStatisticalmethod IDES,NIDES,EMERALD
MachineLearningtechniquesTime BasedinductiveTimeBasedinductiveMachineInstanceBasedLearningN lN t kNeuralNetwork
Dataminingapproaches JAM,MADAMID
8
-
AnomalyDetectionDisadvantages
Basedonauditdatacollectedoveraperiodofnormaloperation.
Wh i (i i )d i h i i d i illWhenanoise(intrusion)datainthetrainingdata,itwillmakeamisclassification.
Howtodecidethefeaturestobeused.Thefeaturesareusuallydecidedbydomainexperts.Itmaybenotcompletely.
9
-
Signature Recognition vs. AnomalySignatureRecognitionvs.AnomalyDetection
Advantage Disadvantage
Signature Recognition
Accurately and generate much fewer
Cannot detect novel or unknown attacksRecognition generate much fewer
false alarmor unknown attacks
Anomaly Is able to detect High false-alarmAnomaly Detection
Is able to detect unknown attacks based on audit
High false alarm and limited by training data.
10
-
TypesofIntrusionDetection
HostBasedIDS(HIDS)
Network BasedIDS(NIDS)NetworkBasedIDS(NIDS)
Hybrid
11
-
HIDSHostbasedintrusiondetectionsystemsorHIDSareinstalledasagentsonahostH b dIDS h kf i i b h ki HostbasedIDSscheckforintrusionsbycheckinginformationatthehostoroperatingsystemlevel.TheseIDSsexaminemanyaspectsofyourhosts suchTheseIDSsexaminemanyaspectsofyourhosts,suchassystemcalls,auditlogs,errorandmessageslogs.Todetectanyintruderactivity.y y
12
-
HIDS:BENEFITSIthasfirsthandinformationonthesuccessoftheattack.
BecauseahostbasedIDSexaminestrafficafteritreachesthetargetoftheattack(assuming thehostisthetarget)targetoftheattack(assuming,thehostisthetarget)WithanetworkbasedIDS,thealarmsaregeneratedonknownintrusiveactivityOnlyaHIDScandeterminetheactualsuccessoffailureofanattack
HIDScanusethehostsownIPstacktoeasilydealwithHIDScanusethehost sownIPstacktoeasilydealwithvariableTimeToLive(TTL)attacks
DifficulttodetectusinganetworkbasedIDS
13
-
HIDS
14
-
VARIABLETIMETOLIVEATTACKSAllpacketstravellingacrossthenetworkhaveaTTLvalue.EachrouterthathandlesthepacketdecreasestheTTLvaluebyone.valuebyone.IftheTTLvaluereacheszero,thepacketisdiscarded.Anattackercanlaunchanattackthatincludesbogus
k i h ll TTL l h h k h h packetwithsmallerTTLvaluesthanthepacketsthanthepacketthatmakeuptherealattack.Ifthenetworkbasedsensorseesallthepackets,buttheptargethostseesonlytheactualattackpackets,theattackerhasmanagedtodistorttheinformationthatthesensorused,causingthesensortopotentiallymisstheattack.g p y
15
-
VARIABLE TIMETOLIVE ATTACKSVARIABLETIME TO LIVEATTACKS(contd)
ThefakepacketsstartwithaTTLof3,whereastherealattackpacketsstartwiththeaTTLof7Th b h f k b h h Thesensorseesbothsetofpackets,butthetargethostseesonlytherealattackpackets.Althoughthisattackispossible itisnoteasytouseinAlthoughthisattackispossible,itisnoteasytouseinpracticebecauseitrequiresadetailedunderstandingofthenetworktopologyandlocationofIDSsensorsp gy
16
-
HIDS:DRAWBACKLimitednetworkview
MosthostbasedIDSs,forexample,donotdetectportscansagainstthehost.ItisalmostimpossibleforahostbasedIDStodetectreconnaissancescansagainstyournetwork.Thesescansrepresentakeyindicatortomoreattacksagainstyournetworknetwork.
MustoperateoneveryOSonthenetworkHIDSmustcommunicatethisinformationtosometypeofcentralmanagementfacility.centralmanagementfacility.Anattackmighttakeahostsnetworkcommunicationoffline.Thishostthencannotcommunicateanyinformationtothecentralmanagementfacility.
17
-
NIDSNetworkIDS(NIDS)NIDSareintrusiondetectionsystemsthatcapturedata
k li h k di ( bl packetstravelingonthenetworkmedia(cables,wireless)andmatchthemtoadatabaseofsignatures.DependinguponwhetherapacketismatchedwithanDependinguponwhetherapacketismatchedwithanintrudersignature,analertisgeneratedorthepacketisloggedtoafileordatabase.ggOnemajoruseofSnortisasaNIDS.
18
-
NIDS
19
-
NIDS:BENEFITSAnetworkbasedIDSexaminespackettolocateattacksagainstthenetwork.TheIDSsniffsthenetworkpacketsandcomparesthetrafficagainstnetworkpacketsandcomparesthetrafficagainstsignaturesforknownintrusiveactivity.Benefits:Benefits:
OverallnetworkperspectiveDoesnothavetorunoneveryOSonthenetworky
20
-
NIDS:DRAWBACKSBandwidth
Asnetworkpipesgrowlargerandlarger,itisdifficulttosuccessfullymonitorallthetrafficgoingacrossthenetworkatasinglepointinrealtime,withoutmissingpackets., g pNeedtoinstallmoresensorsthroughoutthenetworkatlocations
FragmentreassemblyNetworkpacketshaveamaximumsize.f d d d h d h b dIfaconnectionneedstosenddatathatexceedsthismaximumbound,thedatamustbesentinmultiplepacketsThisisknownasfragmentation.Whenthereceivinghostgetsthefragmentedpackets,itmustreassemblethedata.g pNotallhostsperformthereassemblyprocessinthesameorder.SomeOssstartwiththelastfragmentandworktowardthefirst.Othersstartatthefirstandworktowardthelast.Theorderdoesnotmatterifthefragmentsdonotoverlap.Iftheyoverlap,theresultdiffersforeachg p y preassemblyprocess.
21
-
HYBRIDCHARATERISTICHybridsystemscombinethefunctionalityfromseveraldifferentIDScategoriestocreate
22
-
Activevs.PassiveIDSActiveIDS
ProbesystemstouncoverattackartifactsMaytakecorrective/preventiveaction
LockoutauserIDTerminateanetworkconnectionandupdateafirewallruleTerminateanetworkconnectionandupdateafirewallrule
PassiveIDSMonitor(donotalter)eventstream( )Alerttheuser;userresponsibleforresponse
23
-
Centralizedvs.DistributedCentralized
Monitoring,analysis,anddetectionareperformedbyai l tsinglesystemCanwekeepupwiththeeventstream?
DistributedDistributedManymonitoringpointsoragentscontributetotheprocessHowdowecommunicatesecurelyamongentities?
24
-
RealTimevs.IntervalRealTime
Detectionandresponseoccurbeforeintrusioncantakel (h f ll )place(hopefully)
NecessaryforautonomousresponseIntervalInterval
Analysisanddetectionarereportedoversometimeinterval(e.g.,onceperday)Userisresponsibleforresponse
25
-
QuestionIsitactiveids=IPSCentralizeanddistributed
26