intrusion detection systems
DESCRIPTION
Intrusion Detection Systems. Francis Chang Systems Software Lab OGI. [1] M. Crosbie, B. Kuperman, " A Building Block Approach to Intrusion Detection " [2] M. Wetz, Andrew Hutchison, " Interfacing Trusted Applications with Intrusion Detection Systems " - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/2.jpg)
The Papers
[1] M. Crosbie, B. Kuperman, "A Building Block Approach to Intrusion Detection"
[2] M. Wetz, Andrew Hutchison, "Interfacing Trusted Applications with Intrusion Detection Systems"
[3] Y. Zhang, W. Lee, "Intrusion Detection in Wireless Ad-Hoc Networks"
[4] G. Mansfield, K. Ohta, Y. Takei, N. Kato, Y. Nemoto, "Towards Trapping Wily Intruders in the Large"
![Page 3: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/3.jpg)
A building Block Approachto Intrusion Detection
Let’s first look at the first paper…
[1] M. Crosbie, B. Kuperman, "A Building Block Approach to Intrusion Detection"
![Page 4: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/4.jpg)
A new spin on how to build an IDS –
“..motors the system looking for misuse actions that are indicative of attack. These misuses actions are called building blocks.”
Need for a better data source for IDS (IDDS – Intrusion Detection Data Source)
A building Block Approachto Intrusion Detection
![Page 5: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/5.jpg)
Examples of building blocks:
A building Block Approachto Intrusion Detection
Modification of a system file
Unexpected change user privileges of a running process
Modify log files
Change a global symbolic link
Creating setuid programs
![Page 6: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/6.jpg)
So what did they do?
Build an in-kernel IDDS.
A building Block Approachto Intrusion Detection
![Page 7: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/7.jpg)
Crosbie/Kuperman argue that traditional IDS data sources are insufficient – let’s take a look at their argument.
A building Block Approachto Intrusion Detection
![Page 8: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/8.jpg)
syslogd:
A building Block Approachto Intrusion Detection
Often a popular IDS data source
Often syslogd is used when a daemon “starts up, change configuration, encounter an error, or some other unusual behaviour occurs”
![Page 9: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/9.jpg)
syslogd: (continued)
A building Block Approachto Intrusion Detection
Crosbie/Kuperman argues that the quality of the log messages is completely dependent on the programmers who wrote the system daemons.
Early versions of syslogd could be attacked – buffer overflows, abnormal exits
![Page 10: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/10.jpg)
Network Packet Traces:
A building Block Approachto Intrusion Detection
If only using network packet traces, you often lose context, and thus, cannot detect certain types of attacks.
![Page 11: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/11.jpg)
Why is an in-kernel approach good?
A building Block Approachto Intrusion Detection
Time inside the kernel is “frozen”
In-kernel design is more resilient to attack
![Page 12: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/12.jpg)
Interfacing Trusted Apps
The next paper - [2] M. Wetz, Andrew Hutchison, "Interfacing Trusted Applications with Intrusion Detection Systems"
![Page 13: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/13.jpg)
This is funny:
Interfacing Trusted Apps
![Page 14: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/14.jpg)
The basic suggestion: Rewrite existing applications to take advantage of a syslogd/IDS system.
Interfacing Trusted Apps
![Page 15: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/15.jpg)
Interfacing Trusted Apps
![Page 16: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/16.jpg)
Intrusion Detection in Wireless Ad-hoc Networks
Open Medium – attacks can come from anywhere, an go anywhere
No clear topology – network is continually changing – no central points
The problem:
![Page 17: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/17.jpg)
Intrusion Detection in Wireless Ad-hoc NetworksThe solution: An IDS at every node
Let’s take a closer look at the IDS…
![Page 18: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/18.jpg)
Intrusion Detection in Wireless Ad-hoc Networks
![Page 19: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/19.jpg)
Intrusion Detection in Wireless Ad-hoc Networks
Detecting Abnormal Routing Updates –
Give each IDS a built-in GPS, and watch for unexpected # of route changes. (Statistical analysis)
![Page 20: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/20.jpg)
Intrusion Detection in Wireless Ad-hoc Networks
Detecting abnormal activities in other layers:
Various independent monitors to detect anomolies in other protocol layers, and combine results into a confidence rating.
![Page 21: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/21.jpg)
Intrusion Detection in Wireless Ad-hoc Networks
Respond to intrusion detection by reconstructing the routing tables, and routing around the compromised node.
![Page 22: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/22.jpg)
Towards Trapping Wily Intruders in the Large
G. Mansfield, K. Ohta, Y. Takei, N. Kato, Y. Nemoto, "Towards Trapping Wily Intruders in the Large"
The Basics: Monitor the network, and collect statistics. When the statistics deviate from “normal” behaviour, flag it.Extend SNMP to allow various networks to collaborate to track down the intruder
![Page 23: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/23.jpg)
Towards Trapping Wily Intruders in the Large
When a network is under attack, there is often a lot of suspicious network traffic – There are usually more:
TCP-RESET packets
ICMP echo & response
ICMP Destination unreachable messages
![Page 24: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/24.jpg)
Towards Trapping Wily Intruders in the Large
ICMP Echo:Often occur in high volume when a network is under attack:
Mapping out a network
DDOS attacks
SMURF Attacks – let’s take a look
![Page 25: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/25.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 3.3.3.3
SMURF Attack
Ping 1.1.1.255 from 3.3.3.3
![Page 26: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/26.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 3.3.3.3
SMURF Attack
Ping 1.1.1.255 from 3.3.3.3
![Page 27: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/27.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 3.3.3.3
SMURF Attack
Echo Reply Echo Reply
![Page 28: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/28.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 3.3.3.3
SMURF Attack
Many Echo Responses
![Page 29: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/29.jpg)
Towards Trapping Wily Intruders in the Large
TCP Resets:They do not occur too frequently in normal network traffic – but very often when a network is being attacked.Eg.
Port Scanning
Inverse Mapping – let’s take a look at this.
![Page 30: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/30.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 2.2.2.3ACK from1.1.1.2
Inverse Mapping (Successful routing)
![Page 31: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/31.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 2.2.2.3
TCP Reset
Inverse Mapping (Successful routing)
![Page 32: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/32.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 2.2.2.3
TCP Reset
Inverse Mapping (Successful routing)
![Page 33: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/33.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 2.2.2.3
No Response
Inverse Mapping (Successful routing)
![Page 34: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/34.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 2.2.2.3ACK from1.1.1.4
Inverse Mapping (Unsuccessful routing)
![Page 35: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/35.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 2.2.2.3
TCP Reset
Inverse Mapping (Unsuccessful routing)
![Page 36: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/36.jpg)
Towards Trapping Wily Intruders in the Large
1.1.1.1
1.1.1.2 1.1.1.3
2.2.2.2 2.2.2.3
Inverse Mapping (Unsuccessful routing)
ICMP No Route to Host
![Page 37: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/37.jpg)
Towards Trapping Wily Intruders in the Large
So, now that we know what we’re looking for, how do we find it?
Let’s just use some simple math – isolate patterns with least-squares curve fitting, and find corelations between network traffic.
![Page 38: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/38.jpg)
Towards Trapping Wily Intruders in the Large
![Page 39: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/39.jpg)
Towards Trapping Wily Intruders in the LargeTracing an attack
![Page 40: Intrusion Detection Systems](https://reader036.vdocuments.us/reader036/viewer/2022062423/56814d0d550346895dba499e/html5/thumbnails/40.jpg)
Towards Trapping Wily Intruders in the Large
This system does not rely on specific types of attack/patterns/signatures, and does not attempt to reconstruct a detailed transaction log, relying only on statistics.
Can traceback the flow of the attack