Detection Intrusion, Malware, and Fraud

2

Intrusion Detection Systems

Development of IDSs is to address increasing numbers of network attacks

An IDS looks for anomalies that differ from an established baseline

IDSs categorized as Signature-based Anomaly-based

3

What is IDS?

The ideal Intrusion Detection System will notify the system/network manager of a successful attack in progress: With 100% accuracy Promptly (in under a minute) With complete diagnosis of the attack With recommendations on how to block it

…Too bad it doesn’t exist!!

4

Objectives: 100% Accuracy and 0% False Positives

A False Positive is when a system raises an incorrect alert “The boy who cried ‘wolf!’” syndrome

0% false positives is the goal It’s easy to achieve this: simply detect nothing

0% false negatives is another goal: don’t let an attack pass undetected

5

Objectives: Prompt Notification

To be maximally accurate the system may need to “sit on” information for a while until all the details come in e.g.: Slow-scan attacks may not be detected for

hours This has important implications for how “real-time”

IDS can be! IDS should notify user as to detection lag

6

Objectives: Prompt Notification (cont)

Notification channel must be protected What if attacker is able to block notification

mechanism? An IDS that uses E-mail to notify you is going to

have problems notifying you that your E-mail server is under a denial of service attack!

7

Objectives: Diagnosis

Ideally, an IDS will categorize/identify the attack Few network managers have the time to know

intimately how many network attacks are performed

8

Objectives: Recommendation

The ultimate IDS would not only identify an attack, it would: Assess the target’s vulnerability If the target is vulnerable it would notify the

administrator If the vulnerability has a known “fix” it would

include directions for applying the fix This requires huge, detailed knowledge

9

IDS: Pros

A reasonably effective IDS can identify Internal hacking External hacking attempts

May act as a backstop if a firewall or other security measures fail

10

IDS: Cons

IDS’ don’t typically act to prevent or block attacks They don’t replace firewalls, routers, etc.

If the IDS detects trouble on your interior network what are you going to do? By definition it is already too late

11

Paradigms for Deploying IDS

Attack Detection Intrusion Detection

12

InternalNetworkInternet

Routerw/somescreening

Firewall

DMZNetwork

WWWServer

Desktop

Attack Detection

IDS detects (and counts) attacks againstthe Web Server and firewall

IDS

13

Attack Detection

Placing an IDS outside of the security perimeter records attack level Presumably if the perimeter is well designed the

attacks should not affect it! Still useful information for management (“we have

been attacked 3,201 times this month…) Prediction: The AD will generate a lot of noise and

be ignored quickly

14

InternalNetworkInternet

Routerw/somescreening

Firewall

DMZNetwork

WWWServer

Desktop

Intrusion Detection

IDS detects hacking activity WITHINthe protected network, incoming or outgoing IDS

15

Intrusion Detection

Placing an IDS within the perimeter will detect instances of clearly improper behavior Hacks via backdoors Hacks from staff against other sites Hacks that got through the firewall

When the IDS alarm goes off, it’s a red alert

16

Attack vs Intrusion Detection

Ideally do both Realistically, do ID first then AD The real question here is one of staffing costs

to deal with alerts generated by AD systems

17

IDS Data Source Paradigms

Host Based Network Based

18

Host Based IDS

Collect data usually from within the operating system C2 audit logs System logs Application logs

Data collected in very compact form But application / system specific

19

Host Based: Pro

Quality of information is very high Software can “tune” what information it needs Kernel logs “know” who user is

Density of information is very high Often logs contain pre-processed information

20

Host Based: Con

Capture is often highly system specific Usually only 1, 2 or 3 platforms are supported

(“you can detect intrusions on any platform you like as long as it’s Solaris or NT!”)

Performance is a wild-card To unload computation from host logs are usually

sent to an external processor system

21

Network Based IDS

Collect data from the network or a hub / switch Reassemble packets Look at headers

Try to determine what is happening from the contents of the network traffic User identities, etc inferred from actions

22

Network Based: Pro

No performance impact No management impact on platforms Works across O/S’ Can derive information that host based logs

might not provide (packet fragmenting, port scanning, etc.)

23

Network Based: Con

May lose packets on flooded networks May mis-reassemble packets May not understand O/S specific application

protocols (e.g.: SMB) May not understand obsolete network

protocols (e.g.: anything non-IP) Does not handle encrypted data

24

IDS Paradigms

Anomaly Detection - the AI approach Misuse Detection - simple and easy Hybrids - a bit of this and that

25

Anomaly Detection

Goals: Analyse the network or system and infer what is

normal Apply statistical or heuristic measures to

subsequent events and determine if they match the model/statistic of “normal”

If events are outside of a probability window of “normal” generate an alert (tuneable control of false positives)

26

Anomaly Detection (cont)

Typical anomaly detection approaches: Neural networks - probability-based pattern

recognition Statistical analysis - modelling behavior of users

and looking for deviations from the norm

27

Anomaly Detection: Pro

If it works it could conceivably catch any possible attack

If it works it could conceivably catch attacks that we haven’t seen before Or close variants to previously-known attacks

Best of all it won’t require constantly keeping up on hacking technique

28

Anomaly Detection: Con

Current implementations don’t work very well Too many false positives/negatives

Cannot categorize attacks very well “Something looks abnormal” Requires expertise to figure out what triggered the

alert Ex: Neural nets can’t say why they trigger

29

Anomaly Detection: Examples

Most of the research is in anomaly detection Because it’s a harder problem Because it’s a more interesting problem

There are many examples, these are just a few Most are at the proof of concept stage

30

Misuse Detection

Goals: Know what constitutes an attack Detect it

31

Misuse Detection (cont)

Typical misuse detection approaches: “Network grep” - look for strings in network

connections which might indicate an attack in progress

32

Misuse Detection: Pro

Easy to implement Easy to deploy Easy to update Easy to understand Low false positives Fast

33

Misuse Detection: Con

Cannot detect something previously unknown Constantly needs to be updated with new

rules Easier to fool

34

Hybrid IDS

The current crop of commercial IDS are mostly hybrids Misuse detection (signatures or simple patterns) Expert logic (network-based inference of common

attacks) Statistical anomaly detection (values that are out

of bounds)

35

Hybrid IDS (cont)

At present, the hybrids’ main strength appears to be the misuse detection capability Statistical anomaly detection is useful more as

backfill information in the case of something going wrong

Too many false positives - many sites turn anomaly detection off

36

Intrusion Detection Systems (Cont.)

Common IDS solutions available today: Cisco Secure IDS Enterasys™ Dragon®

Elm 3.0 GFI LANguard S.E.L.M Intrust Event Admin Snort ®

Tripwire eTrust ®

37

Network Forensics Abuse

With an IDS system anyone can: Spy on users’ e-mail Capture passwords Know what Web pages were viewed Covertly see the contents of a customer’s

shopping cart

38

Examining Data

Verifying the integrity of the data There are guidelines that can help ensure the

integrity of network data: Logs Time/date stamps IDS alerts