Intrusion Detection, Access Control

and Other Security Tools

CSE 4471: Information Security
Instructor: Adam C. Champion, Ph.D.

1
 Intrusion Terminology
• Intrusion: attack on information where malicious
perpetrator tries to break into, disrupt system
• Intrusion detection: includes procedures and systems
created and operated to detect system intrusions
• Intrusion reaction: covers actions organization takes
upon detecting intrusion
• Intrusion correction activities: restore normal operations
• Intrusion prevention: actions that try to deter intrusions
proactively

2
 Intrusion Detection Systems (IDSs)
• Detects “configuration” violation, sounds alarm
• IDSs inform admins of trouble via e-mail, pagers
• Can configure systems to notify external security
org. of “break-in”

3
 IDS Terminology
• Alert, alarm: self-explanatory
• False negative: IDS fails to detect actual attack
• False positive: Attack alert when none occurred
• Confidence value: Estimate of attack probability
• Alarm filtering: self-explanatory

4
 IDS Classification Methods
① IDS detection methods:
– Signature-based (sig IDS)
– Statistical anomaly-based (stat IDS)
② IDS operation:
– Network-based intrusion detection syst. (NIDS)
– Host-based IDS (HIDS)
– Application-based systems (AppIDS)

5
 Classification (1): Sig. IDS
• Find network, host traffic patterns that match
known signatures
• Advantage: Many attacks have distinct signatures
• Disadvantages:
– IDS’s signature database must be updated to keep
pace with new attacks
– Malicious code authors intentionally use tricks to fool
these IDSs

6
 Classification (1): Stat. IDS
• Statistical anomaly-based IDS sample network
activity, compare to “known normal” traffic
• IDS sounds alarm when activity is outside
baseline parameters
• Advantage: IDS can detect new types of attacks
• Disadvantages:
– Requires more overhead, compute power than
signature-based IDSs
– May generate many false positives

7
8
 Classification (2): NIDS
• Resides on computer or appliance connected to
segment of an organization’s network; looks
for signs of attacks

• When examining packets, a NIDS looks for

attack patterns

• Installed at specific place in the network where

it can watch traffic going into and out of
particular network segment
9
 NIDS Signature Matching

§ NIDSs look for attack patterns for detection

§ Accomplished via certain implementation of
TCP/IP stack:
– Protocol stack verification: look for invalid packets
– App. protocol verification: look at higher-order
protocols for unexpected behavior or improper use

10
 NIDS Advantages, Disadvantages
Advantages Disadvantages
• Org. can monitor large • Can be overwhelmed by
network with few devices volume of network traffic
• Passive; deployment • Need to monitor all traffic
• Cannot analyze encrypted
minimally disrupts operations
network packets
• Less susceptible to attack;
• Cannot determine if attack
attackers may not detect them was successful
• Cannot detect some attacks
(e.g., fragmented packets)

11
 Classification (2): HIDS
• HIDS runs on a particular computer, monitors activity
only on that system
• Benchmarks, monitors key system files; detects when
intruders’ file I/O
• HIDSs work on principle of configuration management
• Unlike NIDSs, HIDSs can be installed to access info.
that’s encrypted in transit over network

12
 HIDS Advantages, Disadvantages

Advantages Disadvantages
§ Detect local events, attacks on • Harder to manage than NIDSs
host systems that NIDSs may not • Vulnerable to attacks against host
§ Can view encrypted traffic (as it operating system, HIDS
has been decrypted on system) • Cannot detect scans of multiple
hosts, non-network devices
§ HIDSs unaffected by switched
• HIDSs potential targets for denial-
network protocols
of-service (DoS) attack
§ Can detect inconsistencies in
• May use lots of disk space
apps, programs by examining • Possible large compute
audit logs performance overhead on host
systems

13
 Application-Based IDS
• Application-based IDS (AppIDS) looks at apps for
abnormal events

• AppIDS may be configured to intercept requests:

– File System

– Network

– Configuration

– Process’s Virtual Memory Address Space

14
Advantages and Disadvantages of AppIDSs
§ Advantages
– Aware of specific users; can observe interaction
between apps and users
– Functions with encrypted incoming data

§ Disadvantages
– More susceptible to attack
– Less capable of detecting software tampering
– May be fooled by forms of spoofing
15
 Selecting IDS Approaches and Products
• Technical and policy considerations
– What is your systems environment?
– What are your security goals?
– What is your existing security policy?

• Organizational requirements and constraints

– What requirements are given from outside the org.?
– What are your org’s resource constraints? ($$$)
16
 IDS Control Strategies
• An IDS can be implemented via one of three basic
control strategies
– Centralized: all IDS control functions are implemented
and managed in a central location
– Fully distributed: all control functions are applied at the
physical location of each IDS component
– Partially distributed: combines the two; while
individual agents can still analyze and respond to local
threats, they report to a hierarchical central facility to
enable organization to detect widespread attacks
17
Centralized IDS Control (Fig. 7-4)

18
Fully Distributed IDS Control (Fig. 7-5)

19
Partially Distributed IDS Control (Fig. 7-6)

20
 IDS Deployment Overview
• IDS system placement can be a “black art”

– Similar to ”what type of IDS should be use?” question

• Need to balance organization’s security needs

with budget

• We can use NIDS and HIDS in tandem to cover

both individual systems that connect to an org’s
networks and the networks themselves

21
 Deploying NIDSs (1)
• NIST recommends four locations for NIDSs:

– Location 1: behind each external firewall, in the

network DMZ

– Location 2: outside an external firewall

– Location 3: on major network backbones

– Location 4: on critical subnets

22
Deploying NIDSs (2) (Fig. 7-7)

23
 Deploying HIDS

• Setting up HIDSs: tedious, time-consuming (?)

• Steps:
– First: install HIDSs on most critical systems
– Next: install HIDSs on all systems or until
organization reaches tolerable degree of coverage

24
 Measuring Effectiveness of IDSs
• IDSs are evaluated using two dominant metrics:
– # of attacks detected in a known collection of probes
– Network bandwidth at which IDSs fail
• Example: At 1 Gbits/sec, IDS detected 95% of
directed attacks against it
• Many vendors provide test suites for verification
• Example test suites:
– Record, retransmit real packet trace from virus/worm
– Perform same for malformed packets (e.g., SYN flood)
– Launch

25
 Honeypots, Honeynets, and Padded Cell
Systems
• Honeypots: decoy systems designed to lure potential attackers
away from critical systems
• Design goals:
– Divert attacker from accessing critical systems
– Gather information about attacker’s activity
– Encourage attacker to linger so admins can document event, respond
• Honeynets: collection of honeypots connected in a subnet
• Padded cell: honeypot protected in order to hinder compromise
– Typically works in tandem with traditional IDS
– When IDS detects attackers, it transfers them to “special
environment” where they cannot cause harm (hence the name)
26
Honeypots: Advantages and Disadvantages

Advantages Disadvantages
• Diverts attackers to targets • Legal implications are not
they can’t damage well defined
• Admins have time to • Honeypots’ effectiveness as
determine response security tech is unclear
• Honeypots can monitor • Expert attacker detecting
attackers’ actions; attack honeypot may get angry,
logs can help improve launch worse attack against
system security org.
• Honeypots may catch • Admins, security managers
insiders snooping around need expertise to use
network
honeypots

27
 Honeypot Examples

Sources: Fred Cohen & Associates (http://all.net/WG/index.html);

https://github.com/paralax/awesome-honeypots/
28
 Trap and Trace Systems
• Various techniques that detect intrusion, trace it to origin
• “Trap” consists of honeypot/padded cell, alarm
• Legal drawbacks to trap and trace:
– Enticement: attracts attacker to system by placing tantalizing info. in
certain places
– Entrapment: lures person into committing crime for conviction purpose
– Enticement is legal/ethical; entrapment is not

• More info: D.J. Gottfried, “Avoiding the Entrapment Defense

in a Post-9/11 World,” FBI Law Enforcement Bulletin,
1 Jan. 2012, https://leb.fbi.gov/articles/legal-digest/legal-
digest-avoiding-the-entrapment-defense-in-a-post-911-world.

29
 Scanning and Analysis Tools (1)
• Often used to collect information that attacker
would need to launch successful attack
• Attack protocol: sequence of attacker’s steps to
attack target system/network
• Footprinting: determining what hostnames, IP
addresses a target org. owns
• Fingerprinting: systematic survey of resources
found in footprinting stage
– Useful for discovering weaknesses in org.’s
network or systems
30
 Scanning and Analysis Tools (2)
• Hostname queries: nslookup, dig
(Un*x)
• IP address ownership:
– whois, https://whois.domaintools.com/
• Internet search queries:
“Proprietary”, “Confidential”
• Also: https://tools.wordtothewise.com/

Sources: Self-taken screenshots;

https://whois.domaintools.com
31
 Port Scanners
• Tools used by attackers, defenders to identify
computers on network (plus other info.)
• Can scan for certain computers, protocols, resources
(or generic scans)
• Example: nmap (https://nmap.org/)

Sources: https://nmap.org;
self-taken screenshot 32
 Firewall Analysis Tools

• Several tools automate discovery of firewall

rules, assist admins in rule analysis
• Admins who are wary of using same tools that
attackers use should remember:
– User intent dictates how gathered info. is used
– Need to understand ways to attack
computer/network in order to defend it!
• Example: Nessus
(https://www.tenable.com/products/nessus)

33
 Packet Sniffers
• Tool that gathers network packets, analyzes them
• Can provide network admin with info. to solve networking
issues (or attacker eavesdropping)
• For legal use: admin must be on org.-owned network and have
consent from net. owners
• Example tool: Wireshark

Source: Wikipedia
(user SF007)

34
 Wireless Security Tools

• Organization needs to
consider wireless security in
tandem with its deployed
wireless networks
• Toolkits can sniff wireless
traffic, scan hosts, and
assess network privacy
• Don’t use WEP! Source: Flickr (user: raynedata)
• Example tools:
– Wireshark
– aircrack-ng

35
 Access Control Devices
• Access control: authenticates, authorizes users
– Authentication: validate a person’s identity
– Authorization: specify what the person can do with
computers, networks
– Recommended: use ≥ two types of auth. technology
• Four main ways to authenticate person:
– What a person knows (e.g., password);
– What a person has (e.g., Duo Mobile app code);
– Who a person is (e.g., fingerprint);
– What a supplicant produces (e.g., work badge)
36
 Summary
• Intrusion detection system (IDS) detects
configuration violation and sounds alarm

• Network-based IDS (NIDS) vs. host-based IDS

(HIDS)

• Complex selection of IDS products that fit an

organization’s needs!

• Honeypots are decoy systems; two variations are

honeynets and padded cell systems
37
 Summary
• Scanning and analysis tools are used to
pinpoint vulnerabilities in systems, holes in
security components, and unsecured aspects of
network

• Authentication is validation of prospective

user’s (supplicant’s) identity

38