response ex5
TRANSCRIPT
-
8/13/2019 Response Ex5
1/5
IT Security - 2
Exercise 5 (Intrusion Detection Systems)
Tanmaya Mahapatra
Matriculation Number : 340959
Bharath Rangaraj
Matriculation Number : 340909
Mohibullah Kamal
Matriculation Number : 341323
November 24, 2013
1 Task - 1 : IDS
Question 1
What is a false positive, what is a false negative hit in an IDS system?
Solution:
In an IDS, False positive Attacks are Attacks that are reported but does no harm toany system.
False Negative Attacks are attacks that actually does harm but not detected.
Question 2
How would you determine the data for an anomaly based IDS, e.g. the amount of permittedfailed login attempts ?
Solution:
Amount of failed login attempts can be realized by:
Analyzes a set of characteristics of a system.
Compares their values with expected values.
Reports when computed statistics do not match expected statistics.
Different types of metrics can be applied.
1. Threshold Metrics.
2. Statistical Moments.
3. Markov Model.
1
-
8/13/2019 Response Ex5
2/5
Question 3
How do directors, sensors, notifiers and agents interact with each other in an IDS system ?
Solution:
Agents Obtains information from sensors, sorts and stores the random data for laterretrieval, and finally sends the most relevant data to the director.
Director It analyzes data obtained from the agents according to its internal rules. Elim-inates unnecessary, redundant records, and correlates information.
Notifier It obtains results from the director and takes actions like :
May notify security officer.
May reconfigure agents, directors to alter collection and analysis methods, re-spectively.
Question 4
In general, is it a good idea for a system to automatically react to attacks in a predefinedfashion ?
Solution:
Yes, its always better to be in the safe side. But it also depends on the system underobservation. If the system holds very sensitive data and is prone to attacks, it should bemore alert and quick to respond to anomalies.
Question 5
Give examples how the reaction of an IDS could look like.
Solution:
The reactions of an IDS could be :
Block the port / user.
Block email account after 5 wrong password trials.
Block traffic from addresses that previously produced too many failed connectionattempts.
2 Task - 2 : IDS
Question 1
What is the biggest advantage of anomaly-based intrusion detection, what its biggest dis-advantage?
Solution:
Page 2
-
8/13/2019 Response Ex5
3/5
-
8/13/2019 Response Ex5
4/5
Question 2
Give reasons why translating Snort rules into iptables rules can be useful.
Solution:
Snort is typically deployed in a passive stance and used to monitor a network forsuspicious activityit is not usually deployed inline, although it does offer this capa-bility. Any policy built by fwsnort is not constrained to passive packet inspectionanfwsnort policy can be configured to drop malicious packets via the iptables DROPtarget.
The fwsnort(tool used for converting snort rules to iptables) project is focused onenhancing the ability of the Linux kernel to control the types of packets allowedto communicate with (or through) your Linux system. By combining the power ofthe Snort signature language with the speed of the Linux kernel and the simplicityof iptables commands, fwsnort is able to bolster the security stance of an existing
IDS/IPS infrastructure. Deploying fwsnort alongside another IDS/IPS is straight-forward, since fwsnort simply builds a shell script to execute iptables commands(typically on an end host). In addition, because iptables is always inline to networktraffic, it is rigorously tested for stability and speed.
Heavily used systems may lack available resources to deploy an additional userlandprocess for intrusion detection (such as Snort). In the case of fwsnort, packet in-spection takes place directly within the Linux kernel, and so this usually places alightweight usage footprint on system resourcesthere is no need to copy data fromkernel memory into a userland process.
Inline Responses : Because the iptables signature policy built by fwsnort is always
inline to network traffic, its an ideal candidate for taking action against certainattacks that are particularly malicious.
5 Task - 5 : Base-rate fallacy
Question 1
Describe in your own words why the base-rate fallacy is that important for IDSes.
Solution:
An important requirement is that an intrusion detection system be effective; that is, itshould detect a substantial percentage of intrusions into the supervised system, while stillkeeping the false alarm rate at an acceptable level. The false alarm rate is the limitingfactor for the performance of an intrusion detection system. This is due to the base-ratefallacy phenomenon, that in order to achieve substantial values of the Bayesian detectionrate P(Intrusion|Alarm) , we have to achieve a (perhaps in some cases unattainably) lowfalse alarm rate. Even for large detection rate, Bayesian detection rate is dominated bythe factor of false alarm rate which will induce the security officer to ignore all (or most)of the alarms generated. Hence base-rate fallacy is that important for IDSes.
Question 2
What are the consequences for intrusion detection in general ?
Page 4
-
8/13/2019 Response Ex5
5/5
Solution:
Consequences depend on different view points
Victims View Point :
1. What happened ?
2. Who is affected and how ?
3. Who is the intruder ?
4. Where and when did the intrusion originate ?
5. How and why did the intrusion happen ?
Attackers View point :
1. What is my objective ?
2. What vulnerabilities exist in the target system?
3. What damage is possible ?
4. What exploit tools are available
5. What is the risk of my exposure ?
IDs goal is to characterize attack manifestations to positively identify all true attackswithout falsely identifying non attacks. The motivation for using ID technology can vary.Some users might want to collect forensic information to locate and prosecute intruders.Others might use ID to trigger actions to protect computing resources. Still others mightuse ID as a diagnostic for identifying and correcting vulnerabilities.
Page 5