526_Spring12_topic14
Transcript of 526_Spring12_topic14
-
7/26/2019 526_Spring12_topic14
1/20
CS526 Spring 2012/Topic 13 1
Information SecurityCS 526
Topic 14: Intrusion Detection
-
7/26/2019 526_Spring12_topic14
2/20
Definitions Intrusion
A set of actions aime to compromise t!e securit"goa#s$ name#"
%Integrit"$ confi entia#it"$ or a&ai#a'i#it"$ of a computing annet(or)ing resource
Intrusion etection T!e process of i entif"ing an respon ing to intrusion
acti&ities
Intrusion pre&ention *+tension of ID (it! e+ercises of access contro# toprotect computers from e+p#oitation
-
7/26/2019 526_Spring12_topic14
3/20
Elements of Intrusion Detection
,rimar" assumptions: S"stem acti&ities are o'ser&a'#e -orma# an intrusi&e acti&ities !a&e istinct
e&i ence
Components of intrusion etection s"stems: .rom an a#gorit!mic perspecti&e:
%.eatures capture intrusion e&i ences% o e#s piece e&i ences toget!er
.rom a s"stem arc!itecture perspecti&e:% arious components: au it ata processor$
)no(#e ge 'ase$ ecision engine$ a#arm generationan responses
-
7/26/2019 526_Spring12_topic14
4/20
Components of Intrusion
Detection System Audit DataPreprocessor
Audit Records
Activity Data
Detection Models
Detection Engine
Alarms
Decision a!le
Decision EngineAction"Report
system activities aresystem activities areobservableobservable
normal and intrusivenormal and intrusiveactivities have distinctactivities have distinct
evidenceevidence
-
7/26/2019 526_Spring12_topic14
5/20
Intrusion Detection Approaches
o e#ing .eatures: e&i ences e+tracte from au it ata Ana#"sis approac!: piecing t!e e&i ences
toget!er % isuse etection a ) a signature 'ase% Anoma#" etection a ) a statistica# 'ase
Dep#o"ment: -et(or) 'ase or ost 'ase -et(or) 'ase : monitor net(or) traffic ost 'ase : monitor computer processes
-
7/26/2019 526_Spring12_topic14
6/20
Misuse Detection
IntrusionPatterns
activities
patternmatc#ing
intrusion
Cant detect new attacks
Example: if (src_ip == dst_ip) then land attack
-
7/26/2019 526_Spring12_topic14
7/20
Anomaly Detection
activitymeasures
pro!a!leintrusion
Relatively high false positive rate% Anomalies can just be new normal activities.% Anomalies caused by other element faults
% E.g., router failure or misconfiguration, !misconfiguration
Any problem "
-
7/26/2019 526_Spring12_topic14
8/20
Host-Based IDSs unning on a sing#e !ost onitoring
S!e## comman s S"stem ca## se7uences
*tc
-
7/26/2019 526_Spring12_topic14
9/20
Network Based IDSs
At t!e ear#" stage of t!e (orm$ on#" #imite (ormsamp#es
ost 'ase sensors can on#" co&er #imite I, space$(!ic! mig!t !a&e sca#a'i#it" issues T!us t!e" mig!t
not 'e a'#e to etect t!e (orm in its ear#" stage
#ateway routersInternet
8ur net(or)
Host based detection
-
7/26/2019 526_Spring12_topic14
10/20
Network IDSs
Dep#o"ing sensors at strategic #ocations * 9 $ ,ac)et sniffing &ia tcpdump at routers
Inspecting net(or) traffic atc! for &io#ations of protoco#s an unusua# connection
patterns onitoring user acti&ities
;oo) into t!e ata portions of t!e pac)ets for ma#iciousco e
a" 'e easi#" efeate '" encr"ption Data portions an some !ea er information can 'e
encr"pte T!e ecr"ption engine ma" sti## 'e t!ere$ especia##" for
e+p#oit
-
7/26/2019 526_Spring12_topic14
11/20
Architecture of Network IDS
Pac$et capture li!pcapPac$et capture li!pcap
CP reassem!lyCP reassem!ly
Protocol identificationProtocol identification
Pac$et streamPac$et stream
Signature matc#ingSignature matc#ing%& protocol parsing '#en needed(%& protocol parsing '#en needed(
-
7/26/2019 526_Spring12_topic14
12/20
irewall!Net I"S #S Net IDS .ire(a##/I,S
Acti&e fi#tering .ai# c#ose
-et(or) IDS ,assi&e monitoring .ai# open
FW
IDS
-
7/26/2019 526_Spring12_topic14
13/20
"ro$lems with Current IDSs
Inaccurac" for e+p#oit 'ase signatures Cannot recogni
-
7/26/2019 526_Spring12_topic14
14/20
)imitations of E*ploit +ased Signature
1010101
10111101
11111100
00010111
$ur network
%raffic&ilteringInternet
Signature: 10.*01
XX
Polymorp#ic 'orm mig#t not #avee*act e*ploit !ased signature
Polymorp#ism,
-
7/26/2019 526_Spring12_topic14
15/20
-ulnera!ility Signature
or) for po#"morp!ic (ormsor) for a## t!e (orms (!ic! target t!e
same &u#nera'i#it"
'ulnerabilitysignature trafficfiltering
Internet
XX 8ur net(or)
Vulnerability
XX
http://images.google.com/imgres?imgurl=www.eirefirst.com/clipart/gifs/St%2520Patrick%2520Worm.gif&imgrefurl=http://www.eirefirst.com/clipart.htm&h=398&w=490&sz=8&tbnid=DaavbgCpeSEJ:&tbnh=103&tbnw=126&start=144&prev=/images%3Fq%3Dworm%26start%3D140%26hl%3Dko%26lr%3D%26ie%3DUTF-8%26sa%3DN -
7/26/2019 526_Spring12_topic14
16/20
E*ample of -ulnera!ility Signatures
At #east =5> &u#nera'i#ities areue to 'uffer o&erf#o(
Samp#e &u#nera'i#it" signature .ie# #engt! correspon ing to
&u#nera'#e 'uffer ? certaint!res!o#
Intrinsic to 'uffer o&erf#o(&u#nera'i#it" an !ar to e&a e u#nera'#e
'uffer
,rotoco# message
%&erflow'
-
7/26/2019 526_Spring12_topic14
17/20
Counting .ero/Day Attac$s
0oneynet"dar$net1Statistical
detection
-
7/26/2019 526_Spring12_topic14
18/20
(ey Metrics of IDS!I"S
A#gorit!m A#arm: A@ Intrusion: I Detection true a#arm rate: , A I
%.a#se negati&e rate , A I
.a#se a#arm a)a$ fa#se positi&e rate: , A I%True negati&e rate , A I
Arc!itecture T!roug!put of -IDS$ targeting 10s of 9'ps%* g $ 32 nsec for 40 '"te TC, SB- pac)et
esi#ient to attac)s
-
7/26/2019 526_Spring12_topic14
19/20
See t!e ase ate .a##ac" S#i es
CS526 Spring 2012/Topic 13 1
-
7/26/2019 526_Spring12_topic14
20/20
CS526 Spring 2012/Topic 13 20
Coming Attractions 3
e' Securit"