7/26/2019 526_Spring12_topic14

1/20

CS526 Spring 2012/Topic 13 1

Information SecurityCS 526

Topic 14: Intrusion Detection

7/26/2019 526_Spring12_topic14

2/20

Definitions Intrusion

A set of actions aime to compromise t!e securit"goa#s$ name#"

%Integrit"$ confi entia#it"$ or a&ai#a'i#it"$ of a computing annet(or)ing resource

Intrusion etection T!e process of i entif"ing an respon ing to intrusion

acti&ities

Intrusion pre&ention *+tension of ID (it! e+ercises of access contro# toprotect computers from e+p#oitation

7/26/2019 526_Spring12_topic14

3/20

Elements of Intrusion Detection

,rimar" assumptions: S"stem acti&ities are o'ser&a'#e -orma# an intrusi&e acti&ities !a&e istinct

e&i ence

Components of intrusion etection s"stems: .rom an a#gorit!mic perspecti&e:

%.eatures capture intrusion e&i ences% o e#s piece e&i ences toget!er

.rom a s"stem arc!itecture perspecti&e:% arious components: au it ata processor$

)no(#e ge 'ase$ ecision engine$ a#arm generationan responses

7/26/2019 526_Spring12_topic14

4/20

Components of Intrusion

Detection System Audit DataPreprocessor

Audit Records

Activity Data

Detection Models

Detection Engine

Alarms

Decision a!le

Decision EngineAction"Report

system activities aresystem activities areobservableobservable

normal and intrusivenormal and intrusiveactivities have distinctactivities have distinct

evidenceevidence

7/26/2019 526_Spring12_topic14

5/20

Intrusion Detection Approaches

o e#ing .eatures: e&i ences e+tracte from au it ata Ana#"sis approac!: piecing t!e e&i ences

toget!er % isuse etection a ) a signature 'ase% Anoma#" etection a ) a statistica# 'ase

Dep#o"ment: -et(or) 'ase or ost 'ase -et(or) 'ase : monitor net(or) traffic ost 'ase : monitor computer processes

7/26/2019 526_Spring12_topic14

6/20

Misuse Detection

IntrusionPatterns

activities

patternmatc#ing

intrusion

Cant detect new attacks

Example: if (src_ip == dst_ip) then land attack

7/26/2019 526_Spring12_topic14

7/20

Anomaly Detection

activitymeasures

pro!a!leintrusion

Relatively high false positive rate% Anomalies can just be new normal activities.% Anomalies caused by other element faults

% E.g., router failure or misconfiguration, !misconfiguration

Any problem "

7/26/2019 526_Spring12_topic14

8/20

Host-Based IDSs unning on a sing#e !ost onitoring

S!e## comman s S"stem ca## se7uences

*tc

7/26/2019 526_Spring12_topic14

9/20

Network Based IDSs

At t!e ear#" stage of t!e (orm$ on#" #imite (ormsamp#es

ost 'ase sensors can on#" co&er #imite I, space$(!ic! mig!t !a&e sca#a'i#it" issues T!us t!e" mig!t

not 'e a'#e to etect t!e (orm in its ear#" stage

#ateway routersInternet

8ur net(or)

Host based detection

7/26/2019 526_Spring12_topic14

10/20

Network IDSs

Dep#o"ing sensors at strategic #ocations * 9 $ ,ac)et sniffing &ia tcpdump at routers

Inspecting net(or) traffic atc! for &io#ations of protoco#s an unusua# connection

patterns onitoring user acti&ities

;oo) into t!e ata portions of t!e pac)ets for ma#iciousco e

a" 'e easi#" efeate '" encr"ption Data portions an some !ea er information can 'e

encr"pte T!e ecr"ption engine ma" sti## 'e t!ere$ especia##" for

e+p#oit

7/26/2019 526_Spring12_topic14

11/20

Architecture of Network IDS

Pac$et capture li!pcapPac$et capture li!pcap

CP reassem!lyCP reassem!ly

Protocol identificationProtocol identification

Pac$et streamPac$et stream

Signature matc#ingSignature matc#ing%& protocol parsing '#en needed(%& protocol parsing '#en needed(

7/26/2019 526_Spring12_topic14

12/20

irewall!Net I"S #S Net IDS .ire(a##/I,S

Acti&e fi#tering .ai# c#ose

-et(or) IDS ,assi&e monitoring .ai# open

FW

IDS

7/26/2019 526_Spring12_topic14

13/20

"ro$lems with Current IDSs

Inaccurac" for e+p#oit 'ase signatures Cannot recogni

7/26/2019 526_Spring12_topic14

14/20

)imitations of E*ploit +ased Signature

1010101

10111101

11111100

00010111

$ur network

%raffic&ilteringInternet

Signature: 10.*01

XX

Polymorp#ic 'orm mig#t not #avee*act e*ploit !ased signature

Polymorp#ism,

7/26/2019 526_Spring12_topic14

15/20

-ulnera!ility Signature

or) for po#"morp!ic (ormsor) for a## t!e (orms (!ic! target t!e

same &u#nera'i#it"

'ulnerabilitysignature trafficfiltering

Internet

XX 8ur net(or)

Vulnerability

XX

http://images.google.com/imgres?imgurl=www.eirefirst.com/clipart/gifs/St%2520Patrick%2520Worm.gif&imgrefurl=http://www.eirefirst.com/clipart.htm&h=398&w=490&sz=8&tbnid=DaavbgCpeSEJ:&tbnh=103&tbnw=126&start=144&prev=/images%3Fq%3Dworm%26start%3D140%26hl%3Dko%26lr%3D%26ie%3DUTF-8%26sa%3DN

7/26/2019 526_Spring12_topic14

16/20

E*ample of -ulnera!ility Signatures

At #east =5> &u#nera'i#ities areue to 'uffer o&erf#o(

Samp#e &u#nera'i#it" signature .ie# #engt! correspon ing to

&u#nera'#e 'uffer ? certaint!res!o#

Intrinsic to 'uffer o&erf#o(&u#nera'i#it" an !ar to e&a e u#nera'#e

'uffer

,rotoco# message

%&erflow'

7/26/2019 526_Spring12_topic14

17/20

Counting .ero/Day Attac$s

0oneynet"dar$net1Statistical

detection

7/26/2019 526_Spring12_topic14

18/20

(ey Metrics of IDS!I"S

A#gorit!m A#arm: A@ Intrusion: I Detection true a#arm rate: , A I

%.a#se negati&e rate , A I

.a#se a#arm a)a$ fa#se positi&e rate: , A I%True negati&e rate , A I

Arc!itecture T!roug!put of -IDS$ targeting 10s of 9'ps%* g $ 32 nsec for 40 '"te TC, SB- pac)et

esi#ient to attac)s

7/26/2019 526_Spring12_topic14

19/20

See t!e ase ate .a##ac" S#i es

CS526 Spring 2012/Topic 13 1

7/26/2019 526_Spring12_topic14

20/20

CS526 Spring 2012/Topic 13 20

Coming Attractions 3

e' Securit"