intrusion detection presentation : 1 of n by manish mehta 01/24/03
TRANSCRIPT
Intrusion DetectionPresentation : 1 OF n
by Manish Mehta
01/24/03
Introduction
3 fundamental needs of Computer Security– Prevention – Detection– Response
All 3 components are needed for Comprehensive Protection.
Security in Business
• You can lock all the doors and stay safe
or you can open the doors and do some
business.
What is Intrusion Detection (ID)?
• ID is the art of detecting and responding to computer misuse.
• Selection of ID system should be based on environment-specific requirements.(How do you want to define an Intrusion?)
Terms you should know
• ID – Detecting unauthorized access to a computer and/or a network.
• Misuse Detection – Detecting behavior that matches patterns of misuse.
• Anomaly Detection – Detecting deviations from acceptable behavior profiles.
Terms you should know (contd.)
• False-positive – An alarm that is not misuse.
• False-negative – Misuse that is not detected or alarmed.
• IDS – System that collects information from a variety of systems and network sources, and then analyze the information for signs of intrusion and misuse.
In general we can say ..
• Intrusion – Attacks originating outside the organization.
• Misuse – Attacks originating inside the organization.
Lets take a step back !ID – A historical perspective.
• ID has exploded in recent years, but the roots of ID are considerably more humble.
• Initially focused on host-based event log analysis.
Brief Timeline of ID research
• 1980 – A technical report said that audit records can be used to identify misuse.
• 1985 – SRI was funded by US Navy to build prototype of ID Expert System. (IDES)
• 1986 – First paper “An ID model” • 1987 – First annual ID workshop at SRI.• 1989 – Student at UCD wrote Network Security
Monitor. (NSM)
Timeline (Contd.)
• 1990 – US Navy completed study of ID research projects and selected one.
• 1992 – Computer Misuse Detection System (CMDS) developed by SAIC.
• 1994 – A research group at Air force created ASIM, a robust IDS.
• 1997 – Cisco began building network ID into Cisco router.
Timeline (Contd.)
• 1999 – Federal ID Network (FIDNet) was created to detect network infrastructure attacks against government sites.
• After that – A lot of research papers and implementations.
Network v/s Host based ID
• All ID methods are basically based on analysis of a set of discrete, time-sequenced events for patterns of misuse.
- Host based ID –examine event like file access,
application execution.- Network based ID –
examine network traffic.
Which one do you need?
• For comprehensive detection? BOTH !
Each has pros and cons that should be measured against the requirements of the environment.
Systems using both detections are called “Hybrid Systems”.
Anatomy of IDS
• ID Systems have 2 main tasks- Detecting- Responding
Command Console
• Authority for controlling the entire system. (nerve system). “remote” feature?
• It has tools for setting policies and processing collected alarms.– Assessment manager – controls the collection of static
configuration info.
– Target manager – maintains connection with components on target side.
– Alert manager – collects and maintains Alert data.
Network Sensors
• Basically 2 types
Promiscuous-mode sensors reside on dedicated machines.
Network-node sensors run on the machines they monitor.
Alert Notification System
• Basic task is to notify security officer
• How ??- On-screen Alerts
- Audible Alerts
- Paging
- SNMP (wow !)
Response Subsystem
• Take actions based on threats to the target systems.
- automatic
- system operator (manual)
What actions?
- reconfiguration
- shut down connection
Database
• Repository for statistics
• Useful for damage assessment and investigation.
ID Process
• Have a simple but effective policy
• Policy defines acceptable activity.e.g. ping sweep, packet from outside coming in with source address as that on inside.
• Policies make rules for IDS.
Traditional audit v/s ID
• Understanding the difference will influence requirement definition.
Traditional Audit
- Counting and confirming periodically
- Password policies
- Security patches
- Guest account enabled (Shouldn’t be!!)
- Locking screen-savers enabled (Shouldn’t be!!)
Then what is the difference?
• ID Systems look for differences in patterns of behavior as opposed to the state of control.
e.g.- A configuration scanner will check for password policy.
- An IDS looks for 3 failed login attempts
Integrity Checkers
• Use MD5 or CRC- Tripwire- Tools in COPS
IDS can track the exact modification information. It is used for mission critical files only.
Un/acceptable behavior
• Infinite possibilities
• Breaking down “misuse” in categories can help
- unauthorized access/reading
- unauthorized modification
- DoS
Detecting deviation from acceptable behavior
• There is no HARD line between un/acceptable behavior.
3 models
- Perfect acceptable behavior model
- Real world behavior model
- Perfect unacceptable behavior model
So, ID: Science or Art??
• Factor to be considered here is noise from ID
• ID tools are really best used as support systems as opposed to definitive measuring devices.
• So its more of an Art of defining rules.
p.s. Researchers don’t like their projects being compared with ‘Art’.
Questions ?
Until then ..