Intrusion DetectionPresentation : 2 OF n

by Manish Mehta

02/07/03

What will we discuss?

• Network-Based Detection• Network-based Architecture

- Traditional Sensor-based- Distributed Network-node

• Network Intrusion Detection Engine- Signatures

• Operational Concepts for network-based detection• Benefits of network-based ID• Challenges for network-based Technologies

Introduction

• Why you call it ‘network-based’?- used to analyze network packets. - packets are ‘sniffed’ off the network.

• TCP/IP is the most common protocol targeted by commercial IDS.

• Different technologies can resolve different levels of protocols through the application layer.

Network-based Detection

• Most network-based attacks are directed at OS vulnerabilities.

• These can be exploited mainly towards following means– Unauthorized Access– Data/Resource Theft– Denial of Service

Unauthorized Access

Unauthorized Login- Key is to detect before/while logging in.- TFTP is well-known for lack of security.- SunOS 4.1.x had security problems with file sharing protocol.

Jump-off Point- They are ‘bad’ and not ‘stupid’.- A compromised computer can open up several other computers in the same organization.- Why is my mail server contacting DoD?

Data/Resource Theft

Information theft- Password file download

gives attacker the ability to compromise other systems. (look for ‘/etc/passwd’)

- Secret Data file downloadCredit card numbers, Employee HR data

Bandwidth Theft- Firms with lot of bandwidth not used at all times.- If the business of the attacker grows, he will be caught.

Denial of ServiceMalformed Packets

- Not all error conditions are taken care of while coding the protocol stack.- Code is not prepared to handle impossible situations in argument fields.

Packet Flooding- Not a very sophisticated attack.- If source address is spoofed, it can be hard to deal with.

Distributed DoS-Special case of Flooding (several machines attack at once)- ID is not a very good tool against this attack, but it can be helpful

NID Architecture

• Two types of NID

Traditional Sensor-based (Promiscuous mode)

- obtain packets, search for patterns, report alarms to the central command console.

Network-node (Distributed)

- Agent on each computer (for individual target)

Traditional Sensor-based Architecture

• Ethernet Chip in Promiscuous mode

• “sniffed” packets are fed to the detection engine (typically on the same machine)

• Taps are distributed to all mission-critical segments (generally one per segment)

• Central command console correlates alarms from multiple sensors.

Life cycle of a Packet

• Packet is born.• “sniffed” off the wire in real-time by the

sensor. (a stand-alone machine or a network device in promiscuous mode)

• Detection engine matches the predefined patterns. If matched, Alert is generated and forwarded to central console.

• Security officer is notified.

Life cycle of a Packet (Contd.)

• Response is generated.- Reconfiguring of routers/firewall

rules- Terminate session

• Alert is stored for later review and correlation.

• Reports are generated.• Data forensics for long-term trends.

Distributed Network-node Architecture

• Sensor on every computer.• Every sensor is concerned about the target it

resides on.• Now confused between host and network based??

- the difference between host and network based ID is the source of data

• Network-node agents communicate with each other on the network to correlate alarms at the console.

Life cycle of a Packet

• Packet is born.• The packet is read in real-time through a

sensor resident on the destination machine.• A Detection Engine is used to match

signatures of misuse. If a pattern is found, an alarm is generated and forwarded to central console or other sensors on the network.

Life cycle of a Packet (Contd.)

• Security officer is notified.• Response is generated.

- Reconfiguring of routers/firewall rules

- Terminate session• Alert is stored for later review and

correlation.• Reports are generated.• Data forensics for long-term trends.

Misconception

Real-Time ID

“I need Intrusion Detection”

“Are you interested in network-based or host based?”

“Oh, I need real-time Intrusion Detection”

“Great, on the host or the network”

“What???”

Network Intrusion Detection Engine

• This is where the real magic is !!

• A stream of time sequential TCP/IP packets is processed to detect predetermined sequences and patterns (signatures).

• Speed – An Issue.

Network Signatures

• Packet Content Signatures- based on contents of packets (smart ??)

• Traffic Analysis Signatures- based on Header information and flow

of traffic

• More on detection mechanisms in future talks.

Packet Content Signatures

• Simple Example- Copy password file over FTP.

- Look for pattern “passwd” in the packet.

(Output of Snoop)Source.com dest.comETHER Type=0800(IP), size = 67 bytesIP D= 134.193.22.26 S=134.193.18.3 LEN=53, ID=34704TCP D=21 S=2095 Ack=21233432 Seq=21342876 Len=13 Win=4096FTP C port=2095 RETR \etc\passwd\r\n

Traffic Analysis Signature

• Simple Examples- A lot of packets destined to one machine in relatively short period of time.(An attempt of DoS attack)

- A packet coming from outside the network with Source IP address as that of the inside network.

Operational Concept

• A NIDS only performs as well as it is operated. (configured)

• The value of the system depends on the skills of the operator.

• Network based ID may be used in a manner that requires very few resources.

How do I use NIDSs?

• The specific use of a NIDS is dependent on the environment-specific requirement.

• Sensor placement plays an important role.Example:Sensor placed outside the firewall will identify

source addresses attempting to attack you.Sensors placed inside the firewall will detect attacks

that successfully circumvent your firewall.(IF you don’t have a Firewall, YOU SHOULDN’T

BE HERE ! GO INSTALL IT FIRST !!)

Operational Modes

• Operational mode describes the manner in which you will operate your NIDS and partially describe the end goals of monitoring.

• Two primary operational modes:

- Tip-Off

- Surveillance

Tip-Off and Surveillance

• The defining characteristic for tip-off The system is detecting something previously unsuspected.

• Unlike tip-off, Surveillance takes place when misuse is already indicated or suspected. It is an increased effort to observe the behavior of a small set of objects.

Benefits of NID

• Outside Deterrence- A notification to the hacker can enhance the deterrent value of an IDS.

• Threat Detection

- Can be used deterministically or in a Decision Support Context.

• Automated Response and Notification.- Pager, SNMP trap, On Screen, Audible, E-mail.

Challenges for Network-based Technologies (promiscuous-mode)

• Packet Reassembly (IP fragmentation)- can only search for patterns after reassembly.

• High-speed networks (Gig E?)

• Sniffer Detection Programs (Antisniff)

• Switched Networks (IP over ATM?)

• Encryption (IPSec, VPN)

Questions ?

Until then ..