Intrusion Detection/Prevention Systems

Intrusion Detection/Prevention Systems. Objectives and Deliverable. Understand the concept of IDS/IPS and the two major categorizations: by features/models, and by location. Understand the pros and cons of each approach

Share Presentation
Embed Code
Link
Download Presentation

murphyb

murphyb + Follow

Download Presentation

Intrusion Detection/Prevention Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

Presentation Transcript

  1. Intrusion Detection/Prevention Systems
  2. Objectives and Deliverable • Understand the concept of IDS/IPS and the two major categorizations: by features/models, and by location. Understand the pros and cons of each approach • Be able to write a snort rule when given the signature and other configuration info • Understand the difference between exploits and vulnerabilities
  3. Definitions • Intrusion • A set of actions aimed to compromise the security goals, namely • Integrity, confidentiality, or availability, of a computing and networking resource • Intrusion detection • The process of identifying and responding to intrusion activities • Intrusion prevention • Extension of ID with exercises of access control to protect computers from exploitation • Online IDS + Access control
  4. Elements of Intrusion Detection • Primary assumptions: • System activities are observable • Normal and intrusive activities have distinct evidence • Components of intrusion detection systems: • From an algorithmic perspective: • Features - capture intrusion evidences • Models - piece evidences together • From a system architecture perspective: • Various components: audit data processor, knowledge base, decision engine, alarm generation and responses
  5. Audit Records Audit Data Preprocessor Activity Data Detection Models Detection Engine Alarms Action/Report Decision Engine Decision Table Components of Intrusion Detection System system activities are observable normal and intrusive activities have distinct evidence
  6. Intrusion Detection Approaches • Modeling • Features: evidences extracted from audit data • Analysis approach: piecing the evidences together • Misuse detection (a.k.a. signature-based) • Anomaly detection (a.k.a. statistical-based) • Deployment: Network-based or Host-based • Network based: monitor network traffic • Host based: monitor computer processes
  7. pattern matching Intrusion Patterns: Sequences of system calls, patterns of network traffic, etc. intrusion activities MisuseDetection Example: if (traffic contains “x90+de[^\r\n]”) then “attack detected” Advantage: Mostly accurate. But problems? Can’t detect new attacks
  8. Vulnerability: design flaws enable the bad inputs lead the program to a bad state Good state Bad input (exploit) Bad state Vulnerability Signature Vulnerability vs. Exploit Blaster Worm (WINRPC) Example: BIND: rpc_vers==5 && rpc_vers_minor==1 && packed_drep==\x10\x00\x00\x00 && context[0].abstract_syntax.uuid=UUID_RemoteActivation BIND-ACK: rpc_vers==5 && rpc_vers_minor==1 CALL: rpc_vers==5 && rpc_vers_minors==1 && packed_drep==\x10\x00\x00\x00 && opnum==0x00 && stub.RemoteActivationBody.actual_length>=40 && matchRE(stub.buffer, /^\x5c\x00\x5c\x00/) Pros • Describe semantic context • Very expressive, can express the vulnerability condition exactly • Accurate Cons • Slow! • Existing approaches all use sequential matching • Require protocol parsing
  9. Anomaly Detection probable intrusion activity measures Define a profile describing “normal” behavior, then detects deviations. Thus can detect potential new attacks. Any problem ? Relatively high false positive rates • Anomalies can just be new normal activities. • Anomalies caused by other element faults • E.g., router failure or misconfiguration, P2P misconfig • Which method will detect DDoS SYN flooding ?
  10. Host-Based IDSs • Use OS auditing and monitoring/analysis mechanisms to find malware • Can execute full static and dynamic analysis of a program • Monitor shell commands and system calls executed by user applications and system programs • Has the most comprehensive program info for detection, thus accurate • Problems: • User dependent: install/update IDS on all user machines! • If attacker takes over machine, can tamper with IDS binaries and modify audit logs • Only local view of the attack
  11. The Spread of Sapphire/Slammer Worms
  12. Network Based IDSs • At the early stage of the worm, only limited worm samples. • Host based sensors can only cover limited IP space, which has scalability issues. Thus they might not be able to detect the worm in its early stage. Internet Gateway routers Our network Host based detection
  13. Network IDSs • Deploying sensors at strategic locations • For example, Packet sniffing via tcpdump at routers • Inspecting network traffic • Watch for violations of protocols and unusual connection patterns • Look into the packet payload for malicious code • Limitations • Cannot execute the payload or do any code analysis ! • Even DPI gives limited application-level semantic information • Record and process huge amount of traffic • May be easily defeated by encryption, but can be mitigated with encryption only at the gateway/proxy
  14. Host-based vs. Network-based IDS • Give an attack that can only be detected by host-based IDS but not network-based IDS • Can you give an example only be detected by network-based IDS but not host-based IDS ?
  15. Key Metrics of IDS/IPS • Algorithm • Alarm: A; Intrusion: I • Detection (true alarm) rate: P(A|I) • False negative rate P(¬A|I) • False alarm (aka, false positive) rate: P(A|¬I) • True negative rate P(¬A|¬I) • Architecture • Throughput of NIDS, targeting 10s of Gbps • E.g., 32 nsec for 40 byte TCP SYN packet • Resilient to attacks
  16. Architecture of Network IDS Signature matching (& protocol parsing when needed) Protocol identification TCP reassembly Packet capture libpcap Packet stream
  17. Firewall/Net IPS VS Net IDS • Firewall/IPS • Active filtering • Fail-close • Network IDS • Passive monitoring • Fail-open IDS FW
  18. Comparison between Packet Filter and IPS
  19. Gartner Magic Quadrant for IPS Ability to Execute • Product/Service • Overall Viability (Business Unit, Financial, Strategy, Organization) • Sales Execution/Pricing • Market Responsiveness and Track Record • Marketing Execution • Customer Experience • Operations Completeness of Vision • Market Understanding • Marketing Strategy • Sales Strategy • Offering (Product) Strategy • Business Model • Vertical/Industry Strategy • Innovation • Geographic Strategy
  20. Gartner Magic Quadrant for IPSTwo and Half Years Ago
  21. Case Study: Snort IDS(not required for hw/exam except its signatures)
  22. Conclusions • Understand the concept of IDS/IPS and the two major categorizations: by features/models, and by location. Understand the pros and cons of each approach • Be able to write a snort rule when given the signature and other configuration info • Understand the difference between exploits and vulnerabilities
  23. Backup Slides
  24. Problems with Current IDSs • Inaccuracy for exploit based signatures • Cannot recognize unknown anomalies/intrusions • Cannot provide quality info for forensics or situational-aware analysis • Hard to differentiate malicious events with unintentional anomalies • Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration • Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.
  25. Limitations of Exploit Based Signature 1010101 10111101 11111100 00010111 Signature: 10.*01 Traffic Filtering Internet Our network X X Polymorphism! Polymorphic worm might not have exact exploit based signature
  26. Vulnerability Signature Work for polymorphic worms Work for all the worms which target the same vulnerability Vulnerability signature trafficfiltering Internet X X Our network X X Vulnerability
  27. Example of Vulnerability Signatures • At least 75% vulnerabilities are due to buffer overflow Sample vulnerability signature • Field length corresponding to vulnerable buffer > certain threshold • Intrinsic to buffer overflow vulnerability and hard to evade Overflow! Protocol message Vulnerable buffer
  28. Next Generation IDSs • Vulnerability-based • Adaptive - Automatically detect & generate signatures for zero-day attacks • Scenario-based for forensics and being situational-aware • Correlate (multiple sources of) audit data and attack information
  29. Related Tools for Network IDS (I) • While not an element of Snort, wireshark (used to called Ethereal) is the best open source GUI-based packet viewer • www.wireshark.org offers: • Support for various OS: windows, Mac OS. • Included in standard packages of many different versions of Linux and UNIX • For both wired and wireless networks

Author : Chad R. meiners ,Jignesh Patel ,Eric Norige ,Eric Torng , Alex X. Liu Publisher :

Author : Chad R. meiners ,Jignesh Patel ,Eric Norige ,Eric Torng , Alex X. Liu Publisher :

Fast Regular Expression Matching using Small TCAMs for Networking Intrusion Detection and Prevention Systems. Author : Chad R. meiners ,Jignesh Patel ,Eric Norige ,Eric Torng , Alex X. Liu Publisher : 19 th USENIX SECURITY SYMPOSIUM Presenter : Zong-Lin Sie Date :

675 views • 28 slides

Intrusion Detection

Intrusion Detection

Intrusion Detection. Outline. Intrusion detection and computer security Current intrusion detection approaches Data Mining Approaches for Intrusion Detection Summary. Intrusion Detection and Computer Security . Computer security goals: Confidentiality, integrity, and availability

983 views • 55 slides

Data Mining and Intrusion Detection

Data Mining and Intrusion Detection

Data Mining and Intrusion Detection. Alan Hunt Will Fletcher Auburn University. Outline. Intrusion Detection Systems Data Mining Data Mining and Intrusion Detection Data Mining Traffic Analysis to Determine and Predict User Behavior

468 views • 15 slides

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition. Chapter 7 Intrusion Detection System Concepts. Objectives. Identify the components of an intrusion detection system Explain the steps of intrusion detection Describe options for implementing intrusion detection systems

774 views • 56 slides

Intrusion Detection/Prevention Systems

Intrusion Detection/Prevention Systems

Intrusion Detection/Prevention Systems. Objectives and Deliverable. Understand the concept of IDS/IPS and the two major categorizations: by features/models, and by location. Understand the pros and cons of each approach

459 views • 29 slides

HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection

HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection

HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection. Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology. Distributed intrusion detection system (DIDS). Useful to achieve self-monitoring of distributed systems Towards self-protection

399 views • 22 slides

Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition. Chapter 8 Intrusion Detection and Prevention Systems. Goals of an IDPS. Network intrusion Attempt to gain unauthorized access to network resources Intrusion Detection and Prevention System ( IDPS )

971 views • 55 slides

ISA 3200 Network Security

ISA 3200 Network Security

Chapter 13: Intrusion Detection and Prevention Systems. ISA 3200 Network Security . Learning Objectives. Describe the various technologies that are used to implement intrusion detection and prevention Define honey pots, honey nets, and padded cell systems

667 views • 45 slides

Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems

Computer Networks . Firewalls and Intrusion Detection Systems. Firewalls & IDS Outline. Firewalls Stateless packet filtering Stateful packet filtering Access Control Lists Application Gateways Intrusion Detection Systems (IDS) Denial of Service Attacks. K&R Chapter 8 Outline.

310 views • 16 slides

INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM. Presented by: Sabeeh Ahmad saeed REG No: fa10-bs( tn )-041 . intrusion. An intrusion is defined as an act of entering into any secured area by means of unauthorized and illegal accessed points. A person who does intrusion is known as intruder.

755 views • 26 slides

Intrusion Detection

Intrusion Detection

Intrusion Detection. Somesh Jha University of Wisconsin. Intrusion Detection. Goal: Discover attempts to maliciously gain access to a system. Network Intrusion Detection Systems (NIDS). Inspects packets at certain vantage points For example, behind the routers

707 views • 47 slides

Intrusion Detection Systems

Intrusion Detection Systems

Intrusion Detection Systems. Chapter 14, 15 of Malik. Outline. Introduction Types of network attacks How intrusion detection work Case study. What is intrusion detection?.

621 views • 26 slides

Snort

Snort

Snort. The Lightweight Intrusion Detection System. The other games in town. Heavyweight systems: Stateful firewalls: Example: Checkpoint Firewall One Commercial network intrusion detection systems: Example: Network Flight Recorder (NFR). The Art of Intrusion Detection:.

485 views • 17 slides

Intrusion Prevention

Intrusion Prevention

Intrusion Prevention. Network Security Evan Roggenkamp. Summary. Intrusion Detection Intrusion Prevention Types: NIPS, WIPS, NBA, HIPS Typical Components Overview. Common Detection Methodologies. Signature-Based Detection Anomaly-Based Detection Stateful Protocol Analysis.

423 views • 16 slides

Intrusion Detection

Intrusion Detection

Intrusion Detection. Chapter 22 in “Introduction to Computer Security”. Chapter 22: Intrusion Detection. Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response. Lecture 1. Intrusion.

1.17k views • 86 slides

Machine Learning in Intrusion Detection Systems (IDS)

Machine Learning in Intrusion Detection Systems (IDS)

Machine Learning in Intrusion Detection Systems (IDS). 2 papers:. Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID] J. Frank Applying Genetic Programming to Intrusion Detection [GP] M. Crosbie, G. Spafford. AIID. What is intrusion detection?

2.03k views • 25 slides

Intrusion Prevention, Detection & Response

Intrusion Prevention, Detection & Response

Intrusion Prevention, Detection & Response. IDS vs IPS. IDS = Intrusion detection system IPS = intrusion prevention system. IDS. Monitors a system for Malicious activities. Policy violations not all policy violations are malicious. IDS Categories. Two categories of IDS:

450 views • 30 slides

Network Intrusion Detection Systems

Network Intrusion Detection Systems

Network Intrusion Detection Systems. Slides by: MM Clements A Adekunle The University of Greenwich. Intrusion Detection. Detection and protection from attacks against networks Three types of network attacks Reconnaissance Access Denial of service. Intrusion detection system (IDS).

689 views • 23 slides

Intrusion Detection

Intrusion Detection

Intrusion Detection. Outline. What is it? What types are there? Network based Host based Stack based Benefits of each Example Implementations Difference between active and passive detection HoneyPots. Intrusion Detection System (IDS). Detects malicious activity in computer systems

630 views • 43 slides

Intrusion Detection

Intrusion Detection

Intrusion Detection. Chapter 12. Learning Objectives. Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products Detail the differences between host-based and network-based intrusion detection

772 views • 39 slides