4471 Lecture 6
4471 Lecture 6
4471 Lecture 6
1
Intrusion Terminology
• Intrusion: attack on information where malicious
perpetrator tries to break into, disrupt system
• Intrusion detection: includes procedures and systems
created and operated to detect system intrusions
• Intrusion reaction: covers actions organization takes
upon detecting intrusion
• Intrusion correction activities: restore normal operations
• Intrusion prevention: actions that try to deter intrusions
proactively
2
Intrusion Detection Systems (IDSs)
• Detects “configuration” violation, sounds alarm
• IDSs inform admins of trouble via e-mail, pagers
• Can configure systems to notify external security
org. of “break-in”
3
IDS Terminology
• Alert, alarm: self-explanatory
• False negative: IDS fails to detect actual attack
• False positive: Attack alert when none occurred
• Confidence value: Estimate of attack probability
• Alarm filtering: self-explanatory
4
IDS Classification Methods
① IDS detection methods:
– Signature-based (sig IDS)
– Statistical anomaly-based (stat IDS)
② IDS operation:
– Network-based intrusion detection syst. (NIDS)
– Host-based IDS (HIDS)
– Application-based systems (AppIDS)
5
Classification (1): Sig. IDS
• Find network, host traffic patterns that match
known signatures
• Advantage: Many attacks have distinct signatures
• Disadvantages:
– IDS’s signature database must be updated to keep
pace with new attacks
– Malicious code authors intentionally use tricks to fool
these IDSs
6
Classification (1): Stat. IDS
• Statistical anomaly-based IDS sample network
activity, compare to “known normal” traffic
• IDS sounds alarm when activity is outside
baseline parameters
• Advantage: IDS can detect new types of attacks
• Disadvantages:
– Requires more overhead, compute power than
signature-based IDSs
– May generate many false positives
7
8
Classification (2): NIDS
• Resides on computer or appliance connected to
segment of an organization’s network; looks
for signs of attacks
10
NIDS Advantages, Disadvantages
Advantages Disadvantages
• Org. can monitor large • Can be overwhelmed by
network with few devices volume of network traffic
• Passive; deployment • Need to monitor all traffic
• Cannot analyze encrypted
minimally disrupts operations
network packets
• Less susceptible to attack;
• Cannot determine if attack
attackers may not detect them was successful
• Cannot detect some attacks
(e.g., fragmented packets)
11
Classification (2): HIDS
• HIDS runs on a particular computer, monitors activity
only on that system
• Benchmarks, monitors key system files; detects when
intruders’ file I/O
• HIDSs work on principle of configuration management
• Unlike NIDSs, HIDSs can be installed to access info.
that’s encrypted in transit over network
12
HIDS Advantages, Disadvantages
Advantages Disadvantages
§ Detect local events, attacks on • Harder to manage than NIDSs
host systems that NIDSs may not • Vulnerable to attacks against host
§ Can view encrypted traffic (as it operating system, HIDS
has been decrypted on system) • Cannot detect scans of multiple
hosts, non-network devices
§ HIDSs unaffected by switched
• HIDSs potential targets for denial-
network protocols
of-service (DoS) attack
§ Can detect inconsistencies in
• May use lots of disk space
apps, programs by examining • Possible large compute
audit logs performance overhead on host
systems
13
Application-Based IDS
• Application-based IDS (AppIDS) looks at apps for
abnormal events
– Network
– Configuration
§ Disadvantages
– More susceptible to attack
– Less capable of detecting software tampering
– May be fooled by forms of spoofing
15
Selecting IDS Approaches and Products
• Technical and policy considerations
– What is your systems environment?
– What are your security goals?
– What is your existing security policy?
18
Fully Distributed IDS Control (Fig. 7-5)
19
Partially Distributed IDS Control (Fig. 7-6)
20
IDS Deployment Overview
• IDS system placement can be a “black art”
21
Deploying NIDSs (1)
• NIST recommends four locations for NIDSs:
22
Deploying NIDSs (2) (Fig. 7-7)
23
Deploying HIDS
24
Measuring Effectiveness of IDSs
• IDSs are evaluated using two dominant metrics:
– # of attacks detected in a known collection of probes
– Network bandwidth at which IDSs fail
• Example: At 1 Gbits/sec, IDS detected 95% of
directed attacks against it
• Many vendors provide test suites for verification
• Example test suites:
– Record, retransmit real packet trace from virus/worm
– Perform same for malformed packets (e.g., SYN flood)
– Launch
25
Honeypots, Honeynets, and Padded Cell
Systems
• Honeypots: decoy systems designed to lure potential attackers
away from critical systems
• Design goals:
– Divert attacker from accessing critical systems
– Gather information about attacker’s activity
– Encourage attacker to linger so admins can document event, respond
• Honeynets: collection of honeypots connected in a subnet
• Padded cell: honeypot protected in order to hinder compromise
– Typically works in tandem with traditional IDS
– When IDS detects attackers, it transfers them to “special
environment” where they cannot cause harm (hence the name)
26
Honeypots: Advantages and Disadvantages
Advantages Disadvantages
• Diverts attackers to targets • Legal implications are not
they can’t damage well defined
• Admins have time to • Honeypots’ effectiveness as
determine response security tech is unclear
• Honeypots can monitor • Expert attacker detecting
attackers’ actions; attack honeypot may get angry,
logs can help improve launch worse attack against
system security org.
• Honeypots may catch • Admins, security managers
insiders snooping around need expertise to use
network
honeypots
27
Honeypot Examples
29
Scanning and Analysis Tools (1)
• Often used to collect information that attacker
would need to launch successful attack
• Attack protocol: sequence of attacker’s steps to
attack target system/network
• Footprinting: determining what hostnames, IP
addresses a target org. owns
• Fingerprinting: systematic survey of resources
found in footprinting stage
– Useful for discovering weaknesses in org.’s
network or systems
30
Scanning and Analysis Tools (2)
• Hostname queries: nslookup, dig
(Un*x)
• IP address ownership:
– whois, https://whois.domaintools.com/
• Internet search queries:
“Proprietary”, “Confidential”
• Also: https://tools.wordtothewise.com/
Sources: https://nmap.org;
self-taken screenshot 32
Firewall Analysis Tools
33
Packet Sniffers
• Tool that gathers network packets, analyzes them
• Can provide network admin with info. to solve networking
issues (or attacker eavesdropping)
• For legal use: admin must be on org.-owned network and have
consent from net. owners
• Example tool: Wireshark
Source: Wikipedia
(user SF007)
34
Wireless Security Tools
• Organization needs to
consider wireless security in
tandem with its deployed
wireless networks
• Toolkits can sniff wireless
traffic, scan hosts, and
assess network privacy
• Don’t use WEP! Source: Flickr (user: raynedata)
• Example tools:
– Wireshark
– aircrack-ng
35
Access Control Devices
• Access control: authenticates, authorizes users
– Authentication: validate a person’s identity
– Authorization: specify what the person can do with
computers, networks
– Recommended: use ≥ two types of auth. technology
• Four main ways to authenticate person:
– What a person knows (e.g., password);
– What a person has (e.g., Duo Mobile app code);
– Who a person is (e.g., fingerprint);
– What a supplicant produces (e.g., work badge)
36
Summary
• Intrusion detection system (IDS) detects
configuration violation and sounds alarm
38