91.460.201 & 91.530.202 Selected Topics: Digital Forensics Overview of Intrusion Detection/prevention Xinwen Fu

91.460.201 & 91.530.202 Selected Topics: Digital

Forensics

Overview of Intrusion Detection/prevention

Xinwen Fu

CS@UMLBy Dr. Xinwen Fu 2

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions


A Big Picture of Cyber Space

Firewall

Switch

Intrusion Detection System

Internet

http://www.inmon.com/tutorials/ids.php

Router

UML

TAMU


What is Intrusion Detection? "a process of identifying and responding to malicious

activity targeted at computing and networking resources"

Incident occurs: Point-in-Time or Ongoing

pre-incidentpreparation

pre-incidentpreparation

Detectionof

Incidents

Detectionof

Incidents

Initial Response

Initial Response

FormulateResponseStrategy

FormulateResponseStrategy

DataCollection

DataCollection

DataAnalysis

DataAnalysis ReportingReporting

Investigate the incident

Resolution, Recovery, Implement Security MeasuresResolution, Recovery, Implement Security Measures

CSIRT:ComputerSecurityIncident

ResponseTeam


A Brief History of Intrusion Detection 1970s – Rudimentary audit-trail analysis 1980s – Signature-Based expert systems 1990s – Explosion of available IDS systems 2000s

Emergence of Active IDS Intrusion Detection and Prevention (IDP) Intrusion Prevention Systems (IPS)

Convergence of Technologies Firewall + IDP + Anti-Virus Appliances and Security Switches

Host =

> N

etw

ork

=>

Perim

ete

r


A Sample Intrusion Detection System (IDS)




Internet

UML

TAMU

Mid-Continent

ComCast


HIDS: Host-Based Intrusion Detection System HIDS resides on a single host system System analyzes:

Network packets entering and leaving the host Audit trails and log files on the host Processes and systems running on the host

Recent advances in Intrusion Prevention: Protocol enforcement Stack enforcement File checksum monitoring

All these attempt to protect against exploitation of software vulnerabilities by buffer overflow or protocol anomalies


Buffer overflows1. void main(int argc, char *argv[]) {2. char buffer[512];

3. if (argc > 1)4. strcpy(buffer,argv[1]);5. }


What is happening within your code?1. Stack is used to

store local variables and the return address (where your function should return when it finishes)

2. An attacker’s input consists of A malicious code A new return address

(pointing to the malicious code)


Where is the HIDS on the Internet?

TAMU

Mid-Continent

ComCast

UML


NIDS: Network-Based Intrusion Detection System NIDS listens to the entire network segment System analyzes:

Network packets passing along the network cable Audit trails and log files sent to NIDS by hosts Processes and systems running on the network hosts

Recent advances in Intrusion Prevention: “Active” rules to shutdown connections “Integration” to firewalls to disable attackers “Data Mining” to summarize the events


Where is the NIDS on the Internet?

TAMU

Mid-Continent

ComCast

UML


PIDS: Perimeter-Based Intrusion Detection System PIDS resides on a gateway/edge router System analyzes:

Network packets passing through the gateway Audit trails and log files on the gateway Processes and systems running on the gateway

Recent advances in Intrusion Prevention: Actively blocking known malicious attacks Zero-latency blocking


Where is PIDS on the Internet?

TAMU

Mid-Continent

Prairiewave




Throughput - Real Time Intrusion Detection Current technology can perform at gigabit speeds To exceed that speed, there are various options:

Software Signature sets, based on protocol Optimization; reduction in requirement to scan

Hardware Co-processor chips: ASIC (application-specific integrated

circuit) or others Faster main processors

This is important for host and network IDP But for perimeter IDP, how fast is your ISP link?


The Emergence of Intrusion Prevention If you detect an attack and know it's an attack

It seems sensible to block it

However, three problems are apparent: 1. False Positives (false alarm) – Blocking normal traffic2. Denial Of Service – Blocking spoofed hosts3. Latency – Delays in blocking limit effectiveness

Evolution of the technology, and merging of firewall and IDP functionality is solving these problems


A Big Picture of Intrusion Detection and Prevention Being Together

Prevent Detect




SQL Slammer Worm The Fastest Internet Worm in History Time line:

July 24th 2002, Microsoft announced vulnerability January 25th 2003, SQL Slammer worm unleashed 05:29:36GMT first detection It infected more than 90 percent of vulnerable

hosts within 10 minutes The Worm:

376 byte viral payload in a single UDP packet Infects machines with a single packet over UDP/1434 UDP is a broadcast protocol: Possible to infect multiple

hosts with 1 packet


Hosts infected With Slammer A before-and-after animation showing the number of

infected Sapphire hosts in a half-hour period between 05:29 UTC and 06:00 UTC.

http://www.caida.org/research/security/sapphire/


How to stop SQL Slammer? Patch Firewall / VPN:

Block UDP/1434 (inbound and outbound) Use a VPN for access to sensitive services

Intrusion Detection and Prevention: UDP/1434 is a well known protocol: Well known vulnerability, 6 months before exploit IDP signatures can detect and block exploits of this

vulnerability The size of the packet is anomalous behavior

Zero-Latency Active IDS/IDP is the only way of blocking this worm




Future Directions What do you think?


IDS Classification

Intrusion detection approach

ProtectedSystems

StructureData

SourcesBehavior after

an AttackAnalysisTiming

Anomaly detection

Signature detection

HIDS NIDS Hybrids

CentralizedSystem

DistributedSystem

AgentSystem

AuditTrail

NetworkPackets

System State

Analysis (Kernel, Services, File, etc.)

ActiveIDS

PassiveIDS

On-the-flyProcessing

IntervalBased IDS

Intrusion Detection Approach


Terms Anomaly detection: explores issues in intrusion detection

associated with deviations from normal system or user behavior

Signature detection: discriminates between anomaly or attack patterns (signatures) and known intrusion detection signatures (also called rules based detection)

HIDS: uses information derived from a single host NIDS: exploits information obtained from a whole segment

of a local network Passive IDS: simply generate alerts and log network

packets Active IDS: detect and respond to attacks, attempt to patch

software holes before getting hacked or act proactively by logging out potential intruders, or blocking services


References Przemyslaw Kazienko & Piotr Dorosz, Intrusion Detection

Systems (IDS) Part I - (network intrusions; attack symptoms; IDS tasks; and IDS architecture), http://www.windowsecurity.com/pages/article_p.asp?id=1147, Apr 07, 2003

Przemyslaw Kazienko & Piotr Dorosz, Intrusion Detection Systems (IDS) Part 2 - Classification; methods; techniques, http://www.windowsecurity.com/pages/article_p.asp?id=1335, Jun 15, 2004

Cisco IDS Solution, http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit09186a008033a458.html, 2005

Randy Stauber, Defense In Depth, http://www.infosecwriters.com/texts.php?op=display&id=170, 19/05/04


Cat with Boots

Documents

91.460.201 & 91.530.202 Selected Topics: Digital Forensics Overview of Intrusion Detection/prevention Xinwen Fu