91.580.203 Computer & Network

Forensics

Overview of Intrusion Detection/prevention

Xinwen Fu

By Dr. Xinwen Fu 2CS@UML

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions

By Dr. Xinwen Fu 3CS@UML

A Big Picture of Cyber Space

Firewall

Switch

Intrusion Detection System

Internet

http://www.inmon.com/tutorials/ids.php

Router

UML

TAMU

By Dr. Xinwen Fu 4CS@UML

What is Intrusion Detection? "a process of identifying and responding to malicious

activity targeted at computing and networking resources"

Incident occurs: Point-in-Time or Ongoing

pre-incidentpreparation

pre-incidentpreparation

Detectionof

Incidents

Detectionof

Incidents

Initial Response

Initial Response

FormulateResponseStrategy

FormulateResponseStrategy

DataCollection

DataCollection

DataAnalysis

DataAnalysis ReportingReporting

Investigate the incident

Resolution, Recovery, Implement Security MeasuresResolution, Recovery, Implement Security Measures

CSIRT:ComputerSecurityIncident

ResponseTeam

By Dr. Xinwen Fu 5CS@UML

A Brief History of Intrusion Detection 1970s – Rudimentary audit-trail analysis 1980s – Signature-Based expert systems 1990s – Explosion of available IDS systems 2000s

Emergence of Active IDS Intrusion Detection and Prevention (IDP) Intrusion Prevention Systems (IPS)

Convergence of Technologies Firewall + IDP + Anti-Virus Appliances and Security Switches

Host =

> N

etw

ork

=>

Perim

ete

r

By Dr. Xinwen Fu 6CS@UML

A Sample Intrusion Detection System (IDS)

By Dr. Xinwen Fu 7CS@UML

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions

By Dr. Xinwen Fu 8CS@UML

Internet

UML

TAMU

Mid-Continent

ComCast

By Dr. Xinwen Fu 9CS@UML

HIDS: Host-Based Intrusion Detection System HIDS resides on a single host system System analyzes:

Network packets entering and leaving the host Audit trails and log files on the host Processes and systems running on the host

Recent advances in Intrusion Prevention: Protocol enforcement Stack enforcement File checksum monitoring

All these attempt to protect against exploitation of software vulnerabilities by buffer overflow or protocol anomalies

By Dr. Xinwen Fu 10CS@UML

Buffer overflows1. void main(int argc, char *argv[]) {2. char buffer[512];

3. if (argc > 1)4. strcpy(buffer,argv[1]);5. }

By Dr. Xinwen Fu 11CS@UML

What is happening within your code?1. Stack is used to

store local variables and the return address (where your function should return when it finishes)

2. An attacker’s input consists of A malicious code A new return address

(pointing to the malicious code)

By Dr. Xinwen Fu 12CS@UML

Where is the HIDS on the Internet?

TAMU

Mid-Continent

ComCast

UML

By Dr. Xinwen Fu 13CS@UML

NIDS: Network-Based Intrusion Detection System NIDS listens to the entire network segment System analyzes:

Network packets passing along the network cable Audit trails and log files sent to NIDS by hosts Processes and systems running on the network hosts

Recent advances in Intrusion Prevention: “Active” rules to shutdown connections “Integration” to firewalls to disable attackers “Data Mining” to summarize the events

By Dr. Xinwen Fu 14CS@UML

Where is the NIDS on the Internet?

TAMU

Mid-Continent

ComCast

UML

By Dr. Xinwen Fu 15CS@UML

PIDS: Perimeter-Based Intrusion Detection System PIDS resides on a gateway/edge router System analyzes:

Network packets passing through the gateway Audit trails and log files on the gateway Processes and systems running on the gateway

Recent advances in Intrusion Prevention: Actively blocking known malicious attacks Zero-latency blocking

By Dr. Xinwen Fu 16CS@UML

Where is PIDS on the Internet?

TAMU

Mid-Continent

Prairiewave

DSU

By Dr. Xinwen Fu 17CS@UML

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions

By Dr. Xinwen Fu 18CS@UML

Throughput - Real Time Intrusion Detection Current technology can perform at gigabit speeds To exceed that speed, there are various options:

Software Signature sets, based on protocol Optimization; reduction in requirement to scan

Hardware Co-processor chips: ASIC (application-specific integrated

circuit) or others Faster main processors

This is important for host and network IDP But for perimeter IDP, how fast is your ISP link?

By Dr. Xinwen Fu 19CS@UML

The Emergence of Intrusion Prevention If you detect an attack and know it's an attack

It seems sensible to block it

However, three problems are apparent: 1. False Positives (false alarm) – Blocking normal traffic2. Denial Of Service – Blocking spoofed hosts3. Latency – Delays in blocking limit effectiveness

Evolution of the technology, and merging of firewall and IDP functionality is solving these problems

By Dr. Xinwen Fu 20CS@UML

A Big Picture of Intrusion Detection and Prevention Being Together

Prevent Detect

By Dr. Xinwen Fu 21CS@UML

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions

By Dr. Xinwen Fu 22CS@UML

SQL Slammer Worm The Fastest Internet Worm in History Time line:

July 24th 2002, Microsoft announced vulnerability January 25th 2003, SQL Slammer worm unleashed 05:29:36GMT first detection It infected more than 90 percent of vulnerable

hosts within 10 minutes The Worm:

376 byte viral payload in a single UDP packet Infects machines with a single packet over UDP/1434 UDP is a broadcast protocol: Possible to infect multiple

hosts with 1 packet

By Dr. Xinwen Fu 23CS@UML

Hosts infected With Slammer A before-and-after animation showing the number of

infected Sapphire hosts in a half-hour period between 05:29 UTC and 06:00 UTC.

http://www.caida.org/research/security/sapphire/

By Dr. Xinwen Fu 24CS@UML

How to stop SQL Slammer? Patch Firewall / VPN:

Block UDP/1434 (inbound and outbound) Use a VPN for access to sensitive services

Intrusion Detection and Prevention: UDP/1434 is a well known protocol: Well known vulnerability, 6 months before exploit IDP signatures can detect and block exploits of this

vulnerability The size of the packet is anomalous behavior

Zero-Latency Active IDS/IDP is the only way of blocking this worm

By Dr. Xinwen Fu 25CS@UML

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions

By Dr. Xinwen Fu 26CS@UML

Future Directions What do you think?

By Dr. Xinwen Fu 27CS@UML

IDS Classification

Intrusion detection approach

ProtectedSystems

StructureData

SourcesBehavior after

an AttackAnalysisTiming

Anomaly detection

Signature detection

HIDS NIDS Hybrids

CentralizedSystem

DistributedSystem

AgentSystem

AuditTrail

NetworkPackets

System State

Analysis (Kernel, Services, File, etc.)

ActiveIDS

PassiveIDS

On-the-flyProcessing

IntervalBased IDS

Intrusion Detection Approach

By Dr. Xinwen Fu 28CS@UML

Terms Anomaly detection: explores issues in intrusion detection

associated with deviations from normal system or user behavior

Signature detection: discriminates between anomaly or attack patterns (signatures) and known intrusion detection signatures (also called rules based detection)

HIDS: uses information derived from a single host NIDS: exploits information obtained from a whole segment

of a local network Passive IDS: simply generate alerts and log network

packets Active IDS: detect and respond to attacks, attempt to patch

software holes before getting hacked or act proactively by logging out potential intruders, or blocking services

By Dr. Xinwen Fu 29CS@UML

References Przemyslaw Kazienko & Piotr Dorosz, Intrusion Detection

Systems (IDS) Part I - (network intrusions; attack symptoms; IDS tasks; and IDS architecture), http://www.windowsecurity.com/pages/article_p.asp?id=1147, Apr 07, 2003

Przemyslaw Kazienko & Piotr Dorosz, Intrusion Detection Systems (IDS) Part 2 - Classification; methods; techniques, http://www.windowsecurity.com/pages/article_p.asp?id=1335, Jun 15, 2004

Cisco IDS Solution, http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit09186a008033a458.html, 2005

Randy Stauber, Defense In Depth, http://www.infosecwriters.com/texts.php?op=display&id=170, 19/05/04

By Dr. Xinwen Fu 30CS@UML

Cat with Boots