Intrusion

Detection

Systems

By: William Pinkerton and Sean Burnside

What is IDS

• IDS is the acronym for Intrusion Detection Systems• Secure systems from attack

• Attacks on a system are through the network, by either: Crackers Hackers Disgruntled Employees

• Five different kinds of intrusion detection systems1. Network-based 2. Protocol-based3. Application-based4. Host-based5. Hybrid

History of IDS• Began

• Mid 1980’s • James P. Anderson

• “Computer Security Threat Monitoring and Surveillance”• Fred Cohen

• The inventor of defenses against viruses• Said, “It is impossible to detect an intrusion in every case” and

“the resources needed to detect intrusion grows with the amount of usage”

• Dorthy E. Denning assisted by Peter Neuman• Created an anomaly-based intrusion detection system• Named Intrusion Detection Expert System• Later version was named Next-generation Intrusion Detection

Expert System

Passive vs. Reactive Systems

• Passive System• First detects a breach • Logs the breach and/or alerts the administrator(s)

• Reactive System• Takes more action of alerting the breach, by either:

Resetting the connectionReprograms the firewall

Firewall and Antivirus vs. IDS

• Firewall• Blocks potentially harmful incoming or outgoing traffic• Does not detect intrusions

• Antivirus• Scans files to identify or eliminate, either:

Malicious Software Computer Viruses

• Intrusion Detection Systems• Alert an administrator(s) of suspicious activity• Looks for intrusions before they happen

**Note: For maximum protection it is best to have all three!!**

5 Methods of IDS

1. Network-based Intrusion Detection System2. Protocol-based Intrusion Detection System3. Application-based Intrusion Detection System4. Host-based Intrusion Detection System5. Hybrid Intrusion Detection System

Network-based Intrusion Detection System

• Runs on different points of a network• Scans for DOS attacks, activities on ports and hacking• Also scans incoming and outgoing packets that are bad• Pros

• Not much overhead on network• Installing, upkeep and securing is easy• Undetectable by most hacks

• Cons• Has trouble with large networks

Network-based Intrusion Detection System (cont.)

• Cons (cont.)• Has trouble with switch based networks• No reporting if attack fails or succeeds• Cannot look at encrypted data

Protocol-based Intrusion Detection System

• Sits at the front end of a server• Usually used for web servers• Two uses

• Making sure a protocol is enforced and used correctly• Teaching the system constructs of a protocol

• Pros• Easier for system to pick up on attacks since it is protocol

based• Cons

• Rules for protocols come out slowly could be a gap in attacks

Host-based Intrusion Detection System

• Internally based detection system• Analyses a system four ways

• File system monitoring• Logfile analysis• Connection analysis• Kernel based intrusion

• Pros• Analyses encrypted data• Can keep up with switch based networks• Provides more information about attacks

Host-based Intrusion Detection System(cont.)

• Pros (cont.)• System can tell what processes where used in the attack• System can tell the users involved in the attack

• Cons• Decrease in network performance if multiple hosts are

analyzed• If the host machine is broken the system can be disabled• Affected by DOS attacks• Needs allot of resources

Application-based Intrusion Detection System

• System is application specific• Monitor dynamic behaviors and states of protocol• The system analyzes the communication between

applications• Pros

• Greater chance of detecting an attack since it is application specific

• Can look at encrypted data• Con

• Needs a lot of processing power

Hybrid Intrusion Detection System

• Combines two or more systems• Pros

• It has the same pros as the systems that it is based on• Cons

• It has the same cons as the systems that it is based on

Top 5 IDS

1. Snort2. OSSEC HIDS3. Fragrouter4. BASE5. Squil

• Lightweight, open source• Originally named bro• Developed by Lawrence Berkeley National Laboratory in 1998• The most widely used Intrusion detection system• Capable of performing packet logging and real time traffic

analysis over IP networks

OSSEC HIDS

• Strong log analysis engine• Correlate and analyze logs from different devices and formats• Can be centralized

• Many different systems can be monitored• Runs on most operating systems

• Linus• OpenBSD• Mac OS X• Solaris• FreeBSD• Windows

Fragrouter

• Used to evade intrusion detection systems• Limited to certain operating systems

• BSD• Linux

• Good tool for finding weaknesses on a network, computers, or servers that ids may not be able to find

BASE

• Written in php• Nice web front in• Analyzes data stored in a database that is populated by

firewalls, ids, and network monitoring tools

Sguil

• Known for it’s graphical user interface• Runs on operating systems that support tcl/tk

• Linux• BSD• Solaris• MacOS • Win32

• Network security monitoring• Provides intrusion detection system alerts

Question Time…