Intrusion Detection: CS 432 - Computer and Network Security Sabancı University
Intrusion Detection: CS 432 - Computer and Network Security Sabancı University
Intrusion Detection: CS 432 - Computer and Network Security Sabancı University
Sabancı University
Intruders
significant problem of networked systems
hostile/unwanted trespass
from benign to serious
user trespass
unauthorized logon, privilege abuse
software trespass
virus, worm, or trojan horse
classes of intruders:
masquerader, misfeasor, clandestine user
Security Intrusion and Intrusion
Detection – Def’ns from RFC 2828
Security Intrusion
a security event, or combination of multiple security
events, that constitutes a security incident in which an
intruder gains, or attempts to gain, access to a
system (or system resource) without having
authorization to do so.
Intrusion Detection
a security service that monitors and analyzes system
events for the purpose of finding, and providing real-
time or near real-time warning of attempts to access
system resources in an unauthorized manner.
Examples of Intrusion
remote root compromise
web server defacement
guessing / cracking passwords
copying / viewing sensitive data / databases
running a packet sniffer to obtain
username/passwords
impersonating a user to reset/learn password
Mostly via social engineering, phishing
using an unattended and logged-in workstation
Intruder Types and Behaviors
Three broad categories
Hackers
Criminals
Insiders
Hackers
motivated by “thrill” and “status/reputation”
hacking community is a strong meritocracy
status is determined by level of competence
benign intruders might be tolerable
do consume resources and may slow performance
can’t know in advance whether benign or malign
What to do
IDS (Intrusion Detection Systems), IPS (Intrusion
Prevention System), VPNs can help to counter
Awareness of intruder problems led to
establishment of CIRTs
Computer/Cyber Incident Response Teams
collect / disseminate vulnerability info / responses
Criminals / Criminal Enterprises
Here the main motivation is to make money
Now the common threat is organized groups of cyber criminals
May be employed by a corporation / government
Most of the time, loosely affiliated gangs
Typically young
often Eastern European, Russian, Southeast Asian
common target is financial institutions, bank accounts and
credit cards on e-commerce servers
criminal hackers usually have specific targets
once penetrated act quickly and get out
IDS may help but less effective due to quick-in-and-out
strategy
sensitive data needs strong data protection (e.g. credit card
numbers)
Strong authentication would also help (2-factor auth.)
Insider Attacks
Most difficult to detect and prevent
employees have access & system knowledge
Attackers are motivated by revenge / feeling of
entitlement
when employment terminated
taking customer data when moving to competitor
intruder not
identified as
intruder
IDS Requirements
run continually with minimal human
supervision
be fault tolerant
resist subversion
minimal overhead on system
scalable, to serve a large numbe of users
configured according to system security
policies
allow dynamic reconfiguration
Host-Based IDS
specialized software to monitor system activity to
detect suspicious behavior
primary purpose is to detect intrusions, log suspicious
events, and send alerts
can detect both external and internal intrusions
two approaches, often used in combination:
signature detection
attack patterns are defined and they are used to decide on
intrusion
anomaly detection
collection of data related to the behavior of legitimate users
Statistical tests are applied to observed behavior
threshold detection – applies to all users
profile based – differs among the users
Audit Records
A fundamental tool for intrusion detection
Two variants:
Native audit records - provided by OS
always available but may not contain enough info
Detection-specific audit records
collects information required by IDS
additional overhead but specific to IDS task
Anomaly Detection
Threshold detection
Checks excessive event occurrences over time
Crude and ineffective intruder detector per se
Creates lots of false positives/negatives due to
Variance in time
Variance accross users
Profile based
Characterize past behavior of users and groups
Then, detect significant deviations
Based on analysis of audit records
example metrics: counter, guage, interval timer,
resource utilization
analysis methods: mean and standard deviation,
multivariate, markov process, time series (next slide)
Profile based Anomaly Detection -
Analysis Methods
Mean and standard deviation
ofa particular parameter
Not good (too crude)
Multivariate analysis
Correlationsamong several parameters (ex. relation
between login freq. and session time)
Markov process
Considers transition probabilities
Time series analysis
Analyze time intervals to see sequences of events
happening rapidly or slowly
All statistical methods using AI, Mach. Learning
and Data Mining techniques.
Signature Detection
Observe events on system and applying a set
of rules to decide if intruder
Approaches:
rule-based anomaly detection
analyze historical audit records for expected behavior,
then match with current behavior
rule-based penetration identification
rules identify known penetrations or possible
penetrations due to known weaknesses
rules are mostly OS specific
Central
Manager
Module:
Analyze and
correlate data
received from
other modules
Architecture
Network-Based IDS
network-based IDS (NIDS)
monitor traffic at selected points on a network to detect
intrusion patterns
in (near) real-time
may examine network, transport and/or application level
protocol activity directed toward the system to be
protected
Only network packets, no software activity examined
System components
A number of sensors to monitor packet traffic
Management server(s) with console (GUI)
Analysis can be done at sensors, at management
servers or both
Network-Based IDS
Types of sensors
inline and passive
Inline sensors
Inserted into a network segment
Traffic pass through
possibly as part of other networ-
king device (e.g. router, firewall) Passive
No need for a new hardware; only new software sensor
May create extra delay
Once attack is detected, traffic is blocked
Also a prevention technique
Passive sensors
monitors copy of traffic at background
Traffic does not pass through it, so there is no blocking capability
Option format
Keyword: arguments;
Several options can be listed separated by semicolon
Options are written in parentheses
example rule to detect TCP SYN-FIN attack:
Alert tcp $EXTERNAL_NET any -> $HOME_NET any \
(msg: "SCAN SYN FIN"; flags: SF;)
Intrusion Prevention Systems (IPS)
Later addition to terminology of security products
Two Interpretations of IPS
inline network or host-based IDS that can block traffic
functional addition IDS capabilities to firewalls
An IPS can block traffic like a firewall, but using
IDS algorithms
may be network or host based
Inline Snort is actually an IPS
End of CS 432
Lectures finished; no lectures in the last week
There is Snort lab on May 17 lab hour.
Do not forget project step 2 and HW2 as well
Final Exam is on May 28, 2019, 16:00
Places:
Lastname: A – Kaya: FENS L062; the rest: FENS L063.
Comprehensive
Rulesare same as Midterm
Handouts from other books are available at SUCourse