Intrusion Detection is the art of detecting and responding to computer misuse. What computer security addresses:
A certain amount of access must be allowed to conduct business. Two types of intrusion detection systems are Network Intrusion Detection and Host Based Intrusion Detection.
Intrusion Detection Tools
Intrusion detection tools are not prevention devices but are excellent deterrents. They provide damage assessment and threat identification capabilities.
- Intrusion Detection: Detecting unauthorized access to computer network. (External)
- Misuse Detection: Detecting activity patterns that match exploits patterns of misuse. (Internal)
- Anomaly Detection: Detection deflection from accepted behavior profiles.
- False Positives: An alarm that is not misuse. (Takes up resources)
- False Negatives: Misuse not detected or alarmed.
Anatomy of an Intrusion Detection System
- Event log analysis for insider threat detection. (Scans)
- Network traffic analysis for perimeter threat detection. (Wireshark, TCPDump)
- Security configuration management. (What are good/bad events)
- File integrity checking “host based”. (Who has access to what, read/write to file)
Comment Console: Sets policies; Sets security.
- Central command authority
- May be accessed remotely
- A dedicated machine with a set of tools. Setting policies for alarms and collecting alarms. Examples: HP Openview and IBM Tivoli
Assessment Manager: Collection of static configuration information.
- Security posture: Default security concept.(Permit/Deny) Deny – Do not allow to access anything. Has to request.
Target Manager: Maintains connections with components in target side.
Alert Manager: Maintains and collects alert data.
- Auditing purposes (depends on the settings)
Database: Stores the history.
- Define perimeter threats (up to the admin to define) e.g. Ping Sweeps vs Malicious Packets. Ping Sweeps find addresses of all the machines.
- Incorporated into an IDS. Ping of death - access more info than normal.
- Action based on escalation policies. Host based – Reports to (depends on organization).
Email, page, SNMP trap (Simple Network Manager Protocol), on screen.
- Automated Response
- Manual Response
- Shutdown computer/connection
- Log off user
- Disable account
- Reconfigure a firewall/router
- Increase auditing
A Conceptual View of Misuse Detection
The goal of intrusion detection is to detect unacceptable behavior. In a real world acceptable behavior model is constructed using historical data limitations. Do not always reflect acceptable behavior. Acceptable behaviors are defined or you can train your IDS what are unacceptable.
- Adherence to a known threat pattern. (False positives are possible)
- Deviates from acceptable behavior.(False negatives are possible)
Network Based Intrusion Detection System
- It is a network-based architecture.
- Life of a network packet
- Operational concepts for network based detection
- Benefits of network based IDS
- Issues with network based IDS
- Analyzes network packets. Most of them are directed towards the operating systems vulnerabilities.
- Stack overflow is an attack on the stack buffer in which the hacker aims for the code to jump to spot in that they would like.
- A stack overflow is an undesirable condition in which a particular computer program tries to use more memory space than the call stack has available. In programming, the call stack is a buffer that stores requests that need to be handled.
Processes data that originates from computers. e.g. Event log files(unauthorized login)
Most common protocol that is targeted is TCP/IP.(Done in transport layer) UDP is also possible. Although the application layer protocols might also be targeted. (HTTP, SMTP, FTP) Network detection is uniquely positioned to detect unauthorized attempts.
Characteristics: Packets are usually “sniffed out of the network. (Network Layer) They could also be derived from out of the routers or switches. (Link Layer)
Types of Attacks
- Unauthorized access: Tries to access a file, network segment, etc… A host based system could detect but it would be already to late. Network based system would stop it before being accessed.(For example a Trojan Horse that would be used to gain information about the machine) Unauthorized access occurs when an outsider comes in over the network and logs into your system uninvited.
- Unauthorized login: Phishing attacks attempt to gain credentials of a user by setting up a fake login in which the user believes they are logging into their wanted website. (HTTP except for the secure HTTPS)
- Jump off points for other attacks: Chain attacks gets authorized access then launches numerous attacks on other areas.
- Data/Resource theft: There are also been cases of freelance information brokers who steal information and give it to the highest bidder.
- Password downloads: Unauthorized password download gives attackers the abilities to compromise other systems. This is one of the traditional data thefts detectable with network intrusion detection. Network security monitors look for patterns such as “/etc/passwd” A hacker would try to download such a location.
- Bandwidth theft: IBM locates bandwidth that goes unused. A hacker would tries to use IBM’s bandwidth to run their own calculations.
- Denial of Service(DOS): These attacks are named because they result in a resource not being available to service its users. New attacks on cell phones lead to the phones security responding but drains the phones battery faster because it is CPU intensive. The packets that deliver the attack usually carry many tell-tale characteristics that can be detected with network intrusion detection.
- Malformed packets: Malformed packets come in a variety of shapes and sizes with the intent of causing a protocol stack to crash. Hackers take advantage of programmers that don’t attempt to handle impossible situations such as null arguments in critical fields. The results are hung network to machines that crash.
- Packet flooding: Crush a network through packet overload. A hacker may spoof their IP address making detection harder. (DOS technique) Easy to detect and defend by cutting off the access unless the attacker is spoofing the source address, then it many be very hard to find out where the packers are originating.
- Distributed Denial Service(DDOS): Attacker targets a computer or network to make it unavailable.
Network Intrusion Detection System Architecture
Sensor – Detects network patterns then reports to the central console.
- Self contained detection engines.
- Obtain network packets.
- Search the pattern of misuse.
- Report alarms to central consoles.
- Depends on the sensor location on the type of architecture.
Traditional sensor based aka. Network Taps
- Works on whole network segments
- Not widely spread (relatively fewer network segment)
- Lost of packets are possible when heavy traffic is present
- Network packet is born –> communication between two systems.
- Sensor reads the packet. The sensor is situated between the 2 computers
- Engine detects predefined patterns of misuse. -Alert generated
- Security officer is notified (via email, pager, etc…)
- Response generated
- Alert stored in database (for later use)
- Reports generated on alert activity
- Data forensics for long term trend.
The engine is the main part of the system. In traditional IDS there is a chance of packet loss in a high speed network.
Network node based architecture - Used now days
- Places an agent on each host in the network.
- Widely distributed (every single host in a mission critical system)
- Each sensor takes care of the packets directed to the host in which it resides.
- Sensors communicate with each other and the console to aggregate and correlate alarms.
Network Sensor: 1-3
Command Console: 4-8
- Network packet is born –> communication between two systems.
- Packet is read in real time off the network.
- Detection engine detects predefined patterns, alerts generated.
- Security officer is notified.
- Response generated.
- Alerts stored in database for future reference.
- Report generated summarizing the alert activities.
- Data forensics used to look for long term trends.
Host based systems run in a combination of real-time and batch, or scheduled processing.