INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion:...
Transcript of INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion:...
![Page 1: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/1.jpg)
INTRUSION
DETECTION SYSTEM (IDS)
by Kilausuria Abdullah (GCIH)Cyberspace Security Lab, MIMOS Berhad
![Page 2: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/2.jpg)
2
OUTLINE
•Security incident
•Attack scenario
•Intrusion detection system
•Issues and challenges
•Conclusion
![Page 3: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/3.jpg)
3
OUTLINE
•Security incident
•Attack scenario
•Intrusion detection system
•Issues and challenges
•Conclusion
![Page 4: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/4.jpg)
4
Security incident landscape in Malaysia
-High value that contributed to intrusion
-Total intrusion reported that related to intrusion (excluding spam) is more than 300 cases
Fig 1: Mycert quarterly report
![Page 5: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/5.jpg)
5
Losses incurred from security incident
Source: CSI, CSO, PWC, MIMOS Analysis,
• Total losses have also declined, could be related to reduced innumber of incidents reported
![Page 6: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/6.jpg)
6
Pre-attack
Attacker Target
Victim
![Page 7: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/7.jpg)
7
Post-attack
![Page 8: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/8.jpg)
8
Security incidents from intruder view
• an attack is unsuccessful from the perspective of intruder if none of their objective are fulfilled
• some components of an attack from the perspective an intruder are :
- Objective ?
- Exploits scripts ?
- Vulnerabilities in target system ?
- Risk carrying out an intrusion ?
- Damage caused or consequences to victim ?
intruder
![Page 9: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/9.jpg)
9
Security Incident from victim view
• A victim perspectives on intrusion is an attack is unsuccessful if there are no consequences that result from the attack
• Some components of an attack from the perspective of a victim are :
-What happened ?
-Who is affected ?
-Who is the intruder ?
-How did the intrusion happen ?
victim
![Page 10: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/10.jpg)
10
OUTLINE
•Security incident
•Attack scenario
•Introduction to IDS
•IDS technologies
•Issues and challenges
•Conclusion
![Page 11: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/11.jpg)
11
Attack scenario
• There are 5 steps involved in the attack scenario :
1.Reconnaissance
2.Scanning
3.Exploit the system
4.Keeping access
5.Covering the track
• Basically analyst use this flow of attack scenario to detect anattack. Intruder may not use all the 5 steps, it depends on the modus operandi and skills of the intruder.
![Page 12: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/12.jpg)
12
• Conduct open source investigation to extract information about a target such
as domain name server (DNS), internet protocol (IP) and staff information
Step 1 : Reconnaissance
DescriptionReconnaissance tool
Numerous web site offer the capability to research or attack other sites
Web-based reconnaissance
Capabilities such : ping, DNS lookup,
whois, DNS zone transfer, trace route, finger, check time
Sam Spade
Googling for vulnerable system and etcGoogle
Domain name and IP addressDNS interrogation
Acquiring information about company from public databases
Web site searchers
Acquire name serversWhois
![Page 13: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/13.jpg)
13
• An attacker uses a variety of vulnerability scanning tools to survey a target to find vulnerabilities in the target defenses
Step 2 : Scanning
DescriptionScanning tool
Basically run port scanner and try to connect to each port
Vulnerability scanning nessus
Trying to connect to unprotected wireless networks to gain network or internet access
War driving with NetStumbler
To see which port are open. Port Scanning with nmap
Scan network looking for unprotected modems that auto-answer with no passwords
THC-scan
![Page 14: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/14.jpg)
14
• An attacker tries to gain access, undermine an application or deny access to other users
• There are 3 ways in exploit the system :
– Gaining access
– Web application attack
– Denial of Service (DoS)
Step 3 : Exploit to system
![Page 15: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/15.jpg)
15
Gaining access
-Unauthorized access by eavesdropping into communication channel
-e.g : IP address spoofing, session hijacking, password cracking and worm
AliceBob
Intruder
![Page 16: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/16.jpg)
16
Web Application attack
Step 3 : Exploit to system
- The information not only intercepted, but modified by an unauthorized party while transit from the source to the destination
-example : account harvesting, SQL injection and cross-site scripting
Alice Bob
Intruder
![Page 17: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/17.jpg)
17
Denial of Service (DoS)
Exploit to system
- An asset of the system gets destroyed or becomes unavailable
Source Destination
- packet floods(SYN flood)
- malformed packet(bonk)
2.Exhausting resources
-spawning to fill process table
-filling up the whole file system
-process killing,
-process crashing,
-system reconfig
1.Stopping services
Network-basedLocalLaunch
ATTACK SCENARIO
![Page 18: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/18.jpg)
18
SYN Flood Attack
-A normal connection between a user (Alice) and a server.
-The three-way handshake is correctly performed.
ATTACK EXAMPLE
![Page 19: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/19.jpg)
19
SYN Flood Attack
-The attacker (Bob) sends several packets but does not send the "ACK" back to the server.
-The connections are hence half-opened and eat the server resources.
-Alice, a legitimate user, tries to connect but the server refuses to open a connection resulting in a denial of service.
ATTACK EXAMPLE
![Page 20: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/20.jpg)
20
• Attacker maintain access by manipulating the software installed on the system to achieve backdoor access
• Example : backdoor and trojan horses
Step 4 : Keeping access
Alice Bob
attacker
backdoor
![Page 21: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/21.jpg)
21
• Attacker maintain hard fought access by covering tracks. Hide from users and system admin using variety of techniques
• covering track in Unix, Windows and network is different
– Hide files to simply name like dot space
Step 5 : Covering the track
![Page 22: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/22.jpg)
22
Attack scenarios
Information source
Communication
Information destination
1. Interruption
2. Interception
3. Modification 4. Fabrication
![Page 23: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/23.jpg)
23
OUTLINE
•Security incident
•Attack scenario
•Intrusion detection system
•Issues and challenges
•Conclusion
![Page 24: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/24.jpg)
24
Intrusion detection system (IDS)
Intrusion:
Sequence related actions performed by a malicious adversary that results in the compromise of a target computing or networking domain
Intrusion detection :
Processes to identify and respond to malicious activity targetedat target computing and networking domain
Intrusion Detection System (IDS ):
is a system that automates the intrusion detection process
![Page 25: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/25.jpg)
25
Terminology in IDS
• Attack
– a failed attempt to enter the system
• False negative
– test result implying a condition does not exist when in fact it does.
• False positive
– test result implying a condition exists when in fact it does not.
![Page 26: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/26.jpg)
26
Common Intrusion Detection Framework (CIDF), models an IDS aggregate as four component :
E-boxE-box
A-box A-box
R-box
D-boxA-box
Monitored environment
Basically in CIDF, IDS implementation have :- event box (E-box)- analysis box (A-box)- database box (D-box)- response box (R-box)
Exchange raw audit data
exchange events
[Porras et al.,1998 ]
![Page 27: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/27.jpg)
27
Intrusion detection characterization
approach protected
systemstructure data source behavior
after an attack
analysis
timing
anomaly
detection
signature
detection
HIDS NIDS Hybrids
centralised
system
distributed
system
agent
system
audit
trail
network
packetsystem state
analysis
(kernel,
Services, files)
active
response
passive
response
Real time
processing
internal
based
IDS
Intrusion Detection Characterization
Source : przemyslaw & piotr
![Page 28: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/28.jpg)
28
Signature vs Anomaly
Audit Data Signature Base
Match?
Statistically anomalous ?
Audit DataSystem Profile
1.Signature based – Audit data collected by the IDS is compared with the content of the signature, if a match IS found, alert generated
2.Anomaly based – Audit data collected by the IDS is compared with the system profile (normal behaviour), if a match NOT found, alert generated
IDS approach
![Page 29: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/29.jpg)
29
NIDS
- Detects attack by analyzing the network traffic exchanged on a network link .
- defense at the network level
Network intrusion detection system (NIDS)
Protected system in IDS
![Page 30: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/30.jpg)
30
-Detects attack against a specific host by analyzing audit data produced by the host operating system
- defense at the application level
HIDS
Host-based intrusion detection system(HIDS)
![Page 31: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/31.jpg)
31
Hybrids
- Detects attack against a specific host by analyzing audit data produced by the host operating system and network traffic
![Page 32: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/32.jpg)
32
Centralized system - IDS can operate standalone
Centralized application- integrated applications that create a distributed system- multiple IDS
Agent
- a particular architecture with autonomous agents that are able to take pre-emptive and reactive measures and even to move over the network
IDS structure
![Page 33: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/33.jpg)
33
• Audit trail – event log processing
• Network packet – a stream of network packet
• System state analysis -from kernel, services, files
IDS Data Source
![Page 34: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/34.jpg)
34
• Active Response
– IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.
• Passive Response
– IDS detects a potential security breach, logs the information and signals an alert
IDS Behaviour after attack
![Page 35: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/35.jpg)
35
• Real time processing
– Perform online verification of system events
– Require large amount RAM since no data storage is used
– Online monitoring, analyze events and user actions
• Interval based
– Related to audit trail (event log processing)
– Recording every event, consumption of system resources
– Vulnerable to DoS attack by over flowing the system's free space
IDS Analysis Timing
![Page 36: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/36.jpg)
36
• IDS product
– Non commercial IDS• Snort, Emerald, Netstat, Bro and many others
– Commercial IDS
• SourceFire, NetProwler, NetRanger, Centrax, RealSecure and many others
IDS Technologies
![Page 37: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/37.jpg)
37
• Immature and dynamic
• Research product
– eg. Emerald, Netstat, Bro etc
• Commercial products ( CMDS, NetProwler, NetRanger, Centrax, RealSecure etc
IDS TECHNOLOGIES
![Page 38: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/38.jpg)
38
OUTLINE
•Security incident
•Attack scenario
•Intrusion detection system
•Issues and challenges
•Conclusion
![Page 39: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/39.jpg)
39
• Operational challenges with IDS
– Too many of IDS product
• IDS do not have the capability to look at every possible security event
– Difficulty with evaluating IDS technologies • Identify and evaluate the processes,procedures and tools
– Lack of qualified technical staff
• To evaluate, select, install, operate and maintain IDS technologies
• Events from multiple sources – Need to correlate the event
IDS issues and challenges
![Page 40: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/40.jpg)
40
• IDS vs Intrusion prevention system (IPS)
- IPS is a system to detect and also prevent the intrusion
- The difference between IPS and IDS mainly it has the preventionprocess in line
• Will IPS replace IDS?
– Use both
IDS issues and challenges
![Page 41: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/41.jpg)
41
Conclusion
- IDS is a technology that can be use to detect an attack , but for future capabilities in IDS can be improved
![Page 42: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/42.jpg)
42
References :
Christopher Kruegel, Fredrik Valeur, Giovanni Vigna (2005). Intrusion Detection and Correlation, Challenges and Solution, Springer Science+Business Media Inc, USA.
Ed Skoudis and SANS. Computer and network hacking exploits –SANS 2006
http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028chap01.html
http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-techniques.html
![Page 43: INTRUSION DETECTION SYSTEM (IDS) · 2015-07-02 · Intrusion detection system (IDS) Intrusion: Sequence related actions performed by a malicious adversary that results in the compromise](https://reader033.fdocuments.in/reader033/viewer/2022052500/5f1008317e708231d4471b18/html5/thumbnails/43.jpg)
43
Thank you