Intrusion DetectionPresentation : 1 OF n

by Manish Mehta

01/24/03

Introduction

3 fundamental needs of Computer Security– Prevention – Detection– Response

All 3 components are needed for Comprehensive Protection.

Security in Business

• You can lock all the doors and stay safe

or you can open the doors and do some

business.

What is Intrusion Detection (ID)?

• ID is the art of detecting and responding to computer misuse.

• Selection of ID system should be based on environment-specific requirements.(How do you want to define an Intrusion?)

Terms you should know

• ID – Detecting unauthorized access to a computer and/or a network.

• Misuse Detection – Detecting behavior that matches patterns of misuse.

• Anomaly Detection – Detecting deviations from acceptable behavior profiles.

Terms you should know (contd.)

• False-positive – An alarm that is not misuse.

• False-negative – Misuse that is not detected or alarmed.

• IDS – System that collects information from a variety of systems and network sources, and then analyze the information for signs of intrusion and misuse.

In general we can say ..

• Intrusion – Attacks originating outside the organization.

• Misuse – Attacks originating inside the organization.

Lets take a step back !ID – A historical perspective.

• ID has exploded in recent years, but the roots of ID are considerably more humble.

• Initially focused on host-based event log analysis.

Brief Timeline of ID research

• 1980 – A technical report said that audit records can be used to identify misuse.

• 1985 – SRI was funded by US Navy to build prototype of ID Expert System. (IDES)

• 1986 – First paper “An ID model” • 1987 – First annual ID workshop at SRI.• 1989 – Student at UCD wrote Network Security

Monitor. (NSM)

Timeline (Contd.)

• 1990 – US Navy completed study of ID research projects and selected one.

• 1992 – Computer Misuse Detection System (CMDS) developed by SAIC.

• 1994 – A research group at Air force created ASIM, a robust IDS.

• 1997 – Cisco began building network ID into Cisco router.

Timeline (Contd.)

• 1999 – Federal ID Network (FIDNet) was created to detect network infrastructure attacks against government sites.

• After that – A lot of research papers and implementations.

Network v/s Host based ID

• All ID methods are basically based on analysis of a set of discrete, time-sequenced events for patterns of misuse.

- Host based ID –examine event like file access,

application execution.- Network based ID –

examine network traffic.

Which one do you need?

• For comprehensive detection? BOTH !

Each has pros and cons that should be measured against the requirements of the environment.

Systems using both detections are called “Hybrid Systems”.

Anatomy of IDS

• ID Systems have 2 main tasks- Detecting- Responding

Command Console

• Authority for controlling the entire system. (nerve system). “remote” feature?

• It has tools for setting policies and processing collected alarms.– Assessment manager – controls the collection of static

configuration info.

– Target manager – maintains connection with components on target side.

– Alert manager – collects and maintains Alert data.

Network Sensors

• Basically 2 types

Promiscuous-mode sensors reside on dedicated machines.

Network-node sensors run on the machines they monitor.

Alert Notification System

• Basic task is to notify security officer

• How ??- On-screen Alerts

- Audible Alerts

- Paging

- e-mail

- SNMP (wow !)

Response Subsystem

• Take actions based on threats to the target systems.

- automatic

- system operator (manual)

What actions?

- reconfiguration

- shut down connection

Database

• Repository for statistics

• Useful for damage assessment and investigation.

ID Process

• Have a simple but effective policy

• Policy defines acceptable activity.e.g. ping sweep, packet from outside coming in with source address as that on inside.

• Policies make rules for IDS.

Traditional audit v/s ID

• Understanding the difference will influence requirement definition.

Traditional Audit

- Counting and confirming periodically

- Password policies

- Security patches

- Guest account enabled (Shouldn’t be!!)

- Locking screen-savers enabled (Shouldn’t be!!)

Then what is the difference?

• ID Systems look for differences in patterns of behavior as opposed to the state of control.

e.g.- A configuration scanner will check for password policy.

- An IDS looks for 3 failed login attempts

Integrity Checkers

• Use MD5 or CRC- Tripwire- Tools in COPS

IDS can track the exact modification information. It is used for mission critical files only.

Un/acceptable behavior

• Infinite possibilities

• Breaking down “misuse” in categories can help

- unauthorized access/reading

- unauthorized modification

- DoS

Detecting deviation from acceptable behavior

• There is no HARD line between un/acceptable behavior.

3 models

- Perfect acceptable behavior model

- Real world behavior model

- Perfect unacceptable behavior model

So, ID: Science or Art??

• Factor to be considered here is noise from ID

• ID tools are really best used as support systems as opposed to definitive measuring devices.

• So its more of an Art of defining rules.

p.s. Researchers don’t like their projects being compared with ‘Art’.

Questions ?

Until then ..